Federal Housing Finance Agency Print

 Advisory Bulletins

 

 

Information Security Management23836All9/28/2017 4:00:00 AMAB 2017-02<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2017-02<br></p><p>INFORMATION SECURITY MANAGEMENT<br></p></td></tr></tbody></table> <br> <p> <strong style="text-decoration&#58;underline;"><em>Purpose</em></strong><br></p><p></p><p>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance on information security management for supporting a safe and sound operational environment and promoting the resilience of Fannie Mae, Freddie Mac, the Federal Home Loan Banks, and the Office of Finance (OF) (collectively, the regulated entities&#160;<a href="#ref1">[1]</a>).<br></p><p>The guidance in this AB is applicable to the regulated entities and is based on current regulatory and industry standards. It does not prescribe specific standards or technology solutions, but describes three main components of an information security program (program). Each regulated entity should use a risk-based approach across key areas listed below to meet FHFA supervisory expectations&#58;<br></p><p></p><p>I. Governance<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p>A. Roles and Responsibilities</p><p>B. Risk Assessments</p><p>C. Industry Standards</p><p>D. Cyber-Insurance</p></blockquote><p>II. Engineering and Architecture</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p>A. Network Security</p><p>B. Software Security</p><p>C. Endpoints</p></blockquote><p>III. Operations</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p>A. Continuous Monitoring</p><p>B. Vulnerability Management</p><p>C. Baseline Configuration</p><p>D. Asset Life Cycle</p><p>E. Awareness and Training</p><p>F. Incident Response and Recovery</p><p>G. User Access Management</p><p>H. Data Classification and Protection</p><p>I. Third-Party Oversight</p><p>J. Threat Intelligence Sharing</p></blockquote><div> <br> </div><p>This AB on information security management supersedes AB 2014-05 (Cyber Risk Management Guidance) and the Office of Federal Housing Enterprise Oversight Policy Guidance PG-01-002 (Safety and Soundness Standards for Information).</p><p> <br> </p><p> <strong style="text-decoration&#58;underline;"> <em>Background</em></strong><br></p><p>Effective information security management protects the availability, integrity, and confidentiality of information in both electronic and physical form.&#160; Information security management encompasses the management of cyber risk, which focuses on protecting systems, operating locations, and risk related to cyber threats.&#160;&#160;<br></p><p>The frequency and sophistication of information security threats to the financial services industry increases the importance of information security management.&#160; Information security incidents can compromise sensitive, confidential, or personally identifiable information.&#160; Such incidents can affect the integrity and availability of business critical information and systems and expose an institution to risk.&#160; Each regulated entity’s risk appetite, policies, operational and technological practices, third-party relationships, governance structure, and the level of involvement of the board of directors (board) and senior management should support effective information security management.&#160; FHFA’s guidelines for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Appendix to Part 1236.&#160; Three relevant PMOS articulate guidelines for the board and management when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8), and maintenance of adequate records (Standard 10).</p><p> <br> </p><p> <strong style="text-decoration&#58;underline;"> <em>Guidance</em></strong><br></p><p>FHFA expects the regulated entities to protect their information technology (IT) environments using a risk-based approach to determine the appropriate activities to include in a comprehensive program.&#160; The regulated entities may use third parties to perform information security activities, but that does not diminish their information security responsibilities.&#160; Although information security risks cannot be eliminated, they can be managed safely and soundly.</p><p> <br> </p><p> <strong>I. Governance</strong><br></p><p>Management at each regulated entity should align the program with the regulated entity’s enterprise risk management framework.&#160; The program should be comprehensive, involve board participation, and include repeatable and executable processes for managing information security risks and incidents.&#160; Each regulated entity should periodically evaluate its approach and appropriately document its program, ensuring that documentation is updated regularly to reflect changes to the program.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">A. Roles and Responsibilities</p></blockquote><p>The board is responsible for maintaining and prioritizing a strong information security culture, providing oversight of senior management’s information security risk management activities, and reviewing and approving the information security risk appetite and program.&#160; Delegation of any of these activities to a board-level committee does not relieve all board members of their responsibility to remain informed about how their entity’s information security management practices appropriately address potential risks, consistent with the established risk appetite.&#160;<br></p><p>Senior management is responsible for establishing and implementing a program consistent with the regulated entity’s risk appetite, developing and implementing policies, and supporting the board’s oversight responsibilities.&#160; The program should include procedures, guidelines, and periodic self-assessment activities, and should be proportional to the information security risks at institutional, business, and operational levels.&#160; Senior management should periodically evaluate and update the program, particularly when new risks or program weaknesses are identified.&#160; Furthermore, senior management should establish and maintain information security policies that prioritize information security management efforts in alignment with risk appetite, strategies, goals and objectives, escalation and security incident management procedures, and processes for how to assess and respond to information security risks and incidents.<br></p><p>Senior management should report to the board at least annually on the overall status of the program; any significant issues with their entity’s adherence and exceptions to applicable requirements and guidance; and significant emerging risks, strategies, and other information to ensure that information security management practices appropriately address potential risks.&#160; Management reports should address issues such as risk assessments, risk management and control decisions, third-party relationships, results of testing, security breaches or violations and management’s responses, and recommendations for changes in the program.&#160;&#160;</p><p>A Chief Information Security Officer or equivalent (CISO) should head the program at each regulated entity.&#160; The CISO is responsible for overseeing and reporting on the management and mitigation of information security risks.&#160; The CISO should have appropriate independence, authority, and resources to carry out the responsibilities of the position.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">B. Risk Assessments</p></blockquote><p>Each of the regulated entities should conduct periodic risk assessments of its program to identify, understand, and prioritize information security risks relevant to business operations, including assessments of third parties and IT architecture.&#160; Enterprise-wide risk assessments should identify internal and external threats that, alone or in tandem, could result in unauthorized access and subsequent loss, alteration, or exploitation of sensitive, confidential, or personally identifiable information.&#160; The risk assessment should identify the likelihood and potential impact of these threats as well as the residual risk of impact after considering controls and mitigating factors.&#160;&#160;<br></p><p>As part of risk assessments, each of the regulated entities should identify and prioritize which risks to avoid, accept, mitigate, or transfer.&#160; Periodic information security gap analyses should be conducted and reported to the board with steps to promptly remediate gaps.&#160; Management should also establish and maintain a waiver process that includes risk identification and compensating controls for remediation activities that do not comply with policy.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">C. Industry Standards</p></blockquote><p>Each regulated entity’s program should align with appropriate industry standards (e.g., standards promulgated by National Institute of Standards and Technology and International Organization for Standardization) commensurate with the complexity and risk profile of the entity.&#160; Each regulated entity should periodically review its program to verify that it reflects industry standards.&#160; Management should identify and address any gaps between the program and chosen industry standard(s) and should document the rationale for accepted risks.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">D. Cyber-Insurance</p></blockquote><p>If the regulated entity uses an insurance policy to transfer part of the financial exposure of an information security incident, management should understand the extent of coverage, conditions of coverage, and requirements governing the reimbursement of claims and report on them to the board.&#160;&#160;</p><p> <br> </p><p> <strong>II. Engineering and Architecture</strong></p><p>Security engineering and architecture address risks to an IT environment by building security into an information system.&#160; Each regulated entity should design its information networks, software, and Internet-capable devices at the network boundary commensurate with identified information security risks and consistent with the entity’s risk appetite.&#160; The designs should include defense in depth, access control, and separate production and non-production IT environments.&#160;&#160;</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">A. Network Security</p></blockquote><p>The regulated entities should design their networks to allow for continuously monitored network systems that provide a view into operational controls and include the ability to provide timely remediation.&#160; The design of the network should include network segmentation, proxy hosts, firewalls, demilitarized zones, intrusion detection and prevention systems, security zones, and virtual private networks.&#160; FHFA expects the regulated entities to place log generating devices and sensors throughout their respective networks and feed security logs to a security information and event management device for continuous monitoring.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">B. Software Security</p></blockquote><p>Effective software security requires selecting, implementing, and monitoring appropriate controls to restrict end users’ ability to install and modify software.&#160; Each of the regulated entities should integrate application code reviews, security testing, and secure deployment to its development processes.&#160; Each of the regulated entities should also consider other activities such as threat modeling and static code analysis for high-risk, custom application development.&#160; Policies and device and network controls should ensure that users download software only from approved sites.&#160; Each regulated entity should assess and protect against the risks of using open source software (OSS) solutions, including an evaluation of the reliability of the source of the OSS solution.&#160; Such an assessment is particularly important when using OSS without strong support communities.&#160; Each regulated entity should also address user-developed technologies with end-user development policies that include inventory, classification, and testing policies and enforce change and access control.</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">C. Endpoints</p></blockquote><p>The program should have requirements to secure any organization-owned endpoint using private networks, access control, intrusion detection and prevention, vulnerability scanning, virus protection, and data encryption.&#160; Use of personal devices such as laptops, tablets, and smart phones present security risks that each regulated entity’s program should fully address.&#160; FHFA expects management to establish and maintain policies for all devices with network access, including employee-, contractor-, and guest-owned devices, and to engineer network and software solutions to manage risks associated with these devices.&#160; The programs should require all users of endpoints connected to regulated entity systems to follow such policies and maintain an information security culture.&#160; Restrictions on resources and applications, segregation of personal data from the regulated entity’s data, and real-time monitoring, such as endpoint detection and response capabilities should be incorporated into the program.</p><p>Each regulated entity’s program should include policies addressing the use of all configurable media and hardware that have access to the regulated entity’s information.&#160; This may include any removable media, personal devices, laptops, printers, and scanners.&#160; The policy should restrict transfers of information to and from removable media to prevent unwanted disclosure of the regulated entities’ information and to protect the IT environment.</p><p>&#160;<br></p><p> <strong>III. Operations</strong></p><p>Security operations provide essential protection of information systems by monitoring, assessing, and defending such systems from threats and harm, and security solutions should be engineered into information systems.&#160; Each regulated entity’s program should apply a defense in depth approach to operational security practices on an ongoing basis, including system monitoring, vulnerability management, baseline maintenance, asset life cycle procedures, staff training, incident response and recovery, access management, data protection, third-party oversight, and threat intelligence sharing.&#160; Additionally, the regulated entities should monitor their physical facilities, including monitoring for exposure to environmental threats.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">A. Continuous Monitoring</p></blockquote><p>An effective program should include continuous monitoring of systems to detect anomalies as well as successful and attempted attacks, including unauthorized activity on or intrusion into information systems.&#160; The program should define monitoring procedures, roles, and responsibilities, and a process for evaluating the effectiveness of identified controls.&#160; Operational security monitoring includes network, physical event, and user activity monitoring.&#160; The regulated entities should use operational security monitoring to mitigate the risks of insider threats.&#160;&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">B. Vulnerability Management</p></blockquote><p>Vulnerability management is an essential component of the program and should include both regular vulnerability assessments and the timely remediation of vulnerabilities that exceed the risk appetite.&#160; Unsupported or out-of-date systems, assets, and applications should be identified, monitored, and addressed within a vulnerability management process.&#160; Patches should be reviewed through a testing and approval process prior to deploying fixes.&#160; Procedures should require management’s approval, impact analysis, and justification for any accepted vulnerabilities or vendor-provided upgrades or patches not implemented internally.&#160; Identified vulnerabilities that present considerable risk require prompt analysis and timely approval and remediation.</p><p>The regulated entity should regularly test the effectiveness of key controls, systems, and procedures used to protect against information security risks through vulnerability scanning, internal and external audits, and penetration testing.&#160; Management should develop and maintain risk-based policies that define the scope and frequency of regular tests.&#160; The policies should also define triggers, such as significant changes to technologies or a security incident that will result in tests of key controls, systems, and procedures.&#160; Independent parties may conduct and review such tests.&#160; Procedures should be in place to track and independently validate the remediation of identified vulnerabilities.&#160; Results from these tests should inform updates to the program.&#160;&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">C. Baseline Configuration</p></blockquote><p>The program should include maintenance of accurate and complete inventories of IT assets and systems as well as baseline configurations of assets and systems.&#160; The program should include a formal change management process for baseline configuration adjustments to address such changes.&#160; The regulated entities should establish and maintain security standards for technology platforms and use tools to automatically compare such standards to the actual configuration of deployed assets and notify appropriate person(s) responsible for security operations of any unapproved changes.&#160;&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">D. Asset Life Cycle</p></blockquote><p>The program should include procedures to define, inventory, maintain, protect, and retire systems and technologies to support continued operations and normal business processes.&#160; Additionally, all systems should have life cycle plans that provide details on procurement, inventory maintenance, ownership, retirement, and disposal.&#160; The program should include procedures requiring documentation of maintenance schedules and repairs on assets in accordance with manufacturer or vendor specifications and internal requirements.&#160; The policies on asset maintenance should also define roles and responsibilities for approving removal of, or changes to, an IT asset, recovery of all information prior to maintenance, and verifying all security controls function after maintenance.&#160;&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">E. Awareness and Training</p></blockquote><p>Consistent with a strong information security culture, the program should include enterprise-wide information security awareness and training processes appropriate to each of the regulated entities’ systems, size, and complexity.&#160; The program should provide that personnel, including third parties with access to the regulated entities’ IT systems, receive general and role-based training on the policies and procedures governing the use of information systems, potential security threats (e.g., phishing), and how management enforces information security policies.&#160; The board should receive training appropriate with its oversight role.&#160; The program should address the expected frequency of awareness and training events, and role-based training qualifications.&#160; All employees and contractors are responsible for maintaining an information security culture involving the protection of the regulated entities’ information and systems.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">F. Incident Response and Recovery</p></blockquote><p>The program should include an incident response plan that documents the triggers, procedures, roles and responsibilities, and resources for eradicating and/or limiting the expansion of an information security incident and minimizing its effects.&#160; Incident response plans should address both physical and cyber events that could affect the availability, confidentiality, and integrity of information.&#160; Repeatable and executable procedures to respond to information security incidents should be proportional to the characteristics of the identified exposures.&#160; These procedures should prioritize and establish resiliency requirements for critical services and dependencies, be rehearsed and tested, identify criteria for escalation and reporting, and define scenarios that would result in the execution of the business continuity program.</p><p>The incident response plan should include an incident recovery plan that identifies person(s) responsible for initiating the recovery plan, defines criteria that must be met to return compromised services and technology to the network, and explains how to document the decisions and actions taken for future reference.&#160; Recovery operations should reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics.&#160;&#160;</p><p>The incident response plan should address how to coordinate communication with internal and external stakeholders about response and restoration activities.&#160; Additionally, incident response and recovery activities should have sufficient follow-up analyses to determine whether procedures were followed and the actions taken were adequate.&#160; These analyses should include investigating detection system notifications, understanding the impact of incidents, performing forensics, and classifying the incidents.&#160; These analyses should use indicators to appropriately quantify the impact of the incident and feed into remediation plans and risk management reporting.&#160;&#160;</p><p>Follow up analyses should identify areas of improvement for future updates to incident response plans.&#160; An independent party (e.g., internal audit or an outside consultant) should periodically validate the implementation and effectiveness of incident response and recovery activities.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">G. User Access Management</p></blockquote><p>The program should define policies and procedures to grant, revoke, monitor, and regularly review appropriate access for all users.&#160; Access should be based on the minimum rights required for the identified business purpose, or least privilege.&#160; The program should establish and maintain a process governing access control of and documenting reasons for using shared accounts.&#160; Terminated or transferred users with different role requirements should be removed promptly.&#160; The program should include maintenance of access logs to effectively monitor user activity.</p><p>User access security controls should include logical and physical access controls, password safeguards, monitoring for unauthorized changes to IT systems or applications, and network encryption as appropriate.&#160; Each regulated entity should consider whether to adopt additional solutions, including segregation of duties, configuration management, change management, identification and authentication management, and background investigation checks.&#160; Operating locations should be physically secured and designed to deny unauthorized access to facilities, equipment, data, and resources.</p><p>Logical access controls, including remote access management, should restrict remote access usage to that defined in and allowed by relevant policies.&#160; Monitoring of remote access should include the identification of remote access devices that attach to systems.&#160; Furthermore, logical access controls should have security features with an appropriate level of sophistication to authenticate users that connect to the network.&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">H. Data Classification and Protection</p></blockquote><p>Each of the regulated entities possesses sensitive, confidential, or personally identifiable information that it needs to protect from loss, alteration, or exploitation.&#160; Classification of such information based on importance and sensitivity should guide their determination of the appropriate level of protection.&#160; Management should establish and maintain policies that address where sensitive, confidential, or personally identifiable information may reside; how to manage and use that information; and how to transmit, transport, protect, and dispose of that information.</p><p>Each of the regulated entities may protect information through a variety of means, such as using front and back end controls on user access, encryption, verification tools to detect unauthorized changes to data, and data loss prevention measures.&#160; Each of the regulated entities should evaluate the effectiveness of protection and preventative measures regularly.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">I. Third-Party Oversight</p></blockquote><p>FHFA expects the regulated entities to understand and manage the risks of third-party access to or maintenance of institutional information.&#160; The information security policies and level of sensitivity and access to information should inform third party security responsibilities.&#160; Each regulated entity’s program should include policies and procedures, contractual assurance for security responsibilities, controls, reporting, nondisclosure of data, and incident notification requirements.&#160; Each regulated entity should define when information security incidents should result in substituting or replacing services provided by third parties, if feasible.</p><p>When using a technology service provider (TSP), such as a cloud computing or technology solutions provider, each of the regulated entities should review the TSP’s information security programs and select a TSP that is consistent with established risk tolerances.&#160; In its selection, each regulated entity should consider the TSP’s abilities to identify and mitigate cyber threats to data and operational infrastructure, effectively carry out incident response procedures to cyberattacks, and perform adequate business continuity resilience.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">J. Threat Intelligence Sharing</p></blockquote><p>The Cybersecurity Information Sharing Act of 2015 encourages information sharing between the federal government and other recognized organizations.&#160; Sharing and receiving technical information, such as threat indicators and emerging risks, promotes financial sector resiliency and provides the regulated entity additional situational awareness to remain current in their defenses.&#160; Each of the regulated entities should participate in and incorporate information from external coordination efforts relevant to their respective operations.<br></p><p> <br> </p><p> <strong style="text-decoration&#58;underline;"> <em>Related Guidance</em></strong><br></p><p> <em> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Data-Management-and-Usage.aspx">Data Management and Usage</a></em>, Federal Housing Finance Agency Advisory Bulletin AB-2016-04, September 29, 2016.<br></p><p> <em> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Information-Technology-Investment-Management.aspx">Information Technology Investment Management</a></em>, Federal Housing Finance Agency Advisory Bulletin AB-2015-06, September 21, 2015.</p><p> <em>Cyber Risk Management Guidance</em>, Federal Housing Finance Agency Advisory Bulletin AB-2014-05, May 19, 2014 (superseded).<br></p><p> <em> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2014-02-OPERATIONAL-RISK-MANAGEMENT.aspx">Operational Risk Management</a></em>, Federal Housing Finance Agency Advisory Bulletin AB-2014-02, February 18, 2014.&#160;</p><p> <a href="https&#58;//www.ecfr.gov/cgi-bin/text-idx?SID=4789529b5c4a4e95899da27516cdc49e&amp;mc=true&amp;node=pt12.10.1233&amp;rgn=div5">12 CFR Part 1233 Reporting of Fraudulent Financial Instruments</a>, February 11, 2013.<br></p><p> <a href="https&#58;//www.ecfr.gov/cgi-bin/text-idx?SID=7d165130b500cae028042a9b47b757aa&amp;mc=true&amp;node=pt12.10.1236&amp;rgn=div5">12 CFR Part 1236 Prudential Management and Operations Standards</a>, June 8, 2012.<br></p><p> <em>Safety and Soundness Standards for Information</em>, Office of Federal Housing Enterprise Oversight Policy Guidance PG-01-002, December 19, 2001 (superseded).<br></p><p> <br> </p><hr /> <p> <a name="ref1">[1]</a> The OF is not a “regulated entity” as the term is defined in the Federal Housing Enterprises Financial Safety and Soundness Act as amended. See <a href="https&#58;//www.gpo.gov/fdsys/pkg/USCODE-2010-title12/html/USCODE-2010-title12-chap46-sec4502.htm">12 U.S.C. 4502(20)</a>. However, for convenience, references to the “regulated entities” in this AB should be read to also apply to the OF.</p><br><br> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"> <span style="color&#58;#444444;font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;">Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac.&#160; This advisory bulletin is effective immediately upon issuance.&#160; For the FHLBanks, contact Amy Bogdon, Associate Director for Regulatory Policy and Programs, Division of FHLBank Regulation, at <a href="mailto&#58;Amy.Bogdon@fhfa.gov">Amy.Bogdon@fhfa.gov</a>.&#160; For Fannie Mae and Freddie Mac, contact Annie Golden, Supervisory Risk Analyst, Office of Governance, Compliance, and Operational Risk at <a href="mailto&#58;Annie.Golden@fhfa.gov">Annie.Golden@fhfa.gov</a> or Brian Schwartz, Senior Risk Analyst, Office of Governance, Compliance, and Operational Risk at <a href="mailto&#58;Brian.Schwartz@fhfa.gov">Brian.Schwartz@fhfa.gov</a>.</span></td></tr></tbody></table> <br>9/29/2017 9:27:03 PM780https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Classifications of Adverse Examination Findings22824All3/13/2017 4:00:00 AMAB 2017-01<p></p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2017-01</p><p>CLASSIFICATIONS OF ADVERSE EXAMINATION FINDINGS</p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <strong style="font-size&#58;15pt;"> <em></em></strong> <br></p><p style="text-decoration&#58;underline;"> <strong style="font-size&#58;15px;"> <em>Purpose</em></strong></p><p>This advisory bulletin establishes classifications of adverse examination findings at Fannie Mae, Freddie Mac, the Federal Home Loan Banks (the regulated entities) and the Office of Finance. Adverse examination findings are typically risk management deficiencies, increases in risk exposures, or violations of laws, regulations, or orders that affect the performance or condition of a regulated entity or the Office of Finance. This advisory bulletin establishes classifications of examination findings that identify priorities for remediation by the regulated entities and the Office of Finance and guide FHFA in the development of supervisory strategies. This advisory bulletin supersedes and rescinds Advisory Bulletin 2012-01, <em>Categories of Examination Findings (April 2, 2012)</em>.</p><p> <br> </p><p style="text-decoration&#58;underline;"><strong><em>Communication of Adverse Examination Findings</em></strong></p><p>FHFA staff communicates examination findings to a regulated entity or the Office of Finance&#160;through the examination process. Reports of examination and other formal written&#160;communications summarize examination findings, assessments, and conclusions. FHFA&#160;provides a report of examination to the board of directors of the regulated entity or the Office of&#160;Finance. The board’s awareness of significant supervisory issues is critical because it is&#160;ultimately responsible for the organization’s safety and soundness.</p><p> <br> </p><p style="text-decoration&#58;underline;"><strong><em>Adverse Examination Findings Classifications&#58;</em></strong></p><p>When communicating adverse examination findings to the regulated entities and Office of&#160;Finance, examination staff will use the following classifications&#58;</p><div><ol><li><p><em>Matters Requiring Attention</em> (MRAs) fall into one of the following categories&#58;</p></li><ul><li><p>Critical supervisory matters (the highest priority) which pose substantial risk to the&#160;safety and soundness of the regulated entity or the Office of Finance. They may involve instances of noncompliance with laws or regulations of a serious nature or may be&#160;repeat criticisms that have escalated in importance because of insufficient attention or action by the regulated entity or Office of Finance.</p></li><li><p>Deficiencies which are supervisory concerns that FHFA believes could, if not corrected,escalate and potentially negatively affect the condition, financial performance, risk profile, operations, or reputation of the regulated entity or the Office of Finance.</p></li><li><p>The distinction between critical supervisory matters and deficiencies is the nature and severity of the issues requiring corrective action. Corrective action for an MRA must be articulated in written remediation plans and timeframes that reflect the significance of the findings.</p></li></ul><li><p><em>Recommendations</em> are advisory in nature and suggest changes to a policy, procedure,&#160;practice, or control that supervision staff believes would improve, or prevent deterioration&#160;in, condition, operations, or performance. Implementation is discretionary, although FHFA&#160;expects the regulated entity or Office of Finance to implement recommendations unless the&#160;regulated entity or Office of Finance can demonstrate through a reasoned assessment that&#160;the recommended action is unwarranted or is likely to be detrimental to condition,&#160;operations, or performance.</p></li><li><p><em>Violations</em> are matters in which an examination discloses noncompliance with laws, regulations, or&#160;orders. Violations require action by the regulated entity or Office of Finance to correct, if possible,&#160;the past noncompliance with requirements and to change a program or practice to prevent&#160;recurrence. The expected remediation timeframe depends on the seriousness of the actual or&#160;potential consequences of the violation and the time required for the regulated entity to implement&#160;required corrective action. A violation that may negatively affect the condition or practices of the&#160;regulated entity may also be identified as an MRA.</p></li><br><br></ol><div><p style="text-decoration&#58;underline;"><strong><em>Effective Date</em></strong></p><p>The adverse examination findings classifications defined in this Advisory Bulletin are effective for the&#160;2017 examination cycle for Fannie Mae and Freddie Mac. The adverse examination findings&#160;classifications are effective upon issuance of this Advisory Bulletin for all Federal Home Loan Bank&#160;and Office of Finance examinations not yet started.</p><p><br></p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">​Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on&#160;specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac. Contact Louis Scalza, Associ<span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;color&#58;#444444;">ate Director, Division of Bank&#160;</span>Regulation at <a href="mailto&#58;Louis.Scalza@fhfa.gov">Louis.Scalza@fhfa.gov</a> or Jim Griffin, Associate Director, Division of Enterprise R<span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;color&#58;#444444;">egulation at <a href="mailto&#58;James.GriffinJr@fhfa.gov">James.GriffinJr@fhfa.gov</a>, with comments or questions pertaining to this bulletin.</span></td></tr></tbody></table><br></div> </div>3/13/2017 6:54:21 PM1652https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Internal Audit Governance and Function21390All10/7/2016 4:00:00 AMAB 2016-05<p></p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2016-05</p><p>INTERNAL AUDIT GOVERNANCE AND FUNCTION</p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <strong style="font-size&#58;15pt;"><em></em></strong><br></p><p style="text-decoration&#58;underline;"> <strong style="font-size&#58;15px;"><em>Purpose</em></strong></p><p>This Advisory Bulletin (AB) applies to Fannie Mae and Freddie Mac (the Enterprises), the Federal Home Loan Banks (FHLBanks) (collectively, the regulated entities), and the FHLBanks' Office of Finance (OF).&#160; References to the regulated entities<a href="#1"><span style="text-decoration&#58;underline;">[1]</span></a> in this AB equally apply to the OF.&#160; This AB rescinds and replaces the following guidance&#58;</p><ul><li>2002-AB-05&#58;&#160; <em>Risk Assessment – Internal Auditor Independence;</em></li><li>1999-AB-10&#58;&#160; <em>Internal Audit Department External Reviews; </em>and</li><li>1996-AB-01&#58;&#160; <em>Examination Reviews of Audit Independence, Audit Committee Oversight of Selection, Compensation and Performance Evaluation of the Audit Director</em>.<br>&#160;<br>The Federal Housing Finance Agency (FHFA) requires the regulated entities to establish independent Internal Audit (IA) functions and expects those IA functions to provide timely feedback to management and assurance to audit committees on the effectiveness of regulated entities' internal controls, risk management, and governance.&#160; Timely and reliable information about elevated risks and internal control systems are important so that management can make prompt corrections.&#160; This AB sets forth FHFA guidance and supervisory expectations regarding&#58;</li></ul><ol><li>Audit Committee Oversight of the IA Function; &#160;</li><li>IA Independence and Objectivity; and</li><li>IA Attributes and Operations - including IA's role in reporting to the audit committee on the regulated entity's identification of significant risks and the existence and effectiveness of related internal controls.<br><br>A regulated entity's risk management framework generally comprises&#58;<br>&#160;</li></ol><ul><li>Units engaged in business operations, which take and manage risks and report directly to management;<a href="#2"><span style="text-decoration&#58;underline;">[2]</span></a></li><li>Independent risk management (including enterprise risk management, compliance, and other risk control functions), which monitors risk-taking activities, assesses risks and issues independent of business operations units, and is separate from first-line operating management but still under the direction and control of senior management; and</li><li>IA, which reports independently to the audit committee on risks, risk management, and the effectiveness of the regulated entity's system of internal controls.<br>&#160;</li></ul><p>This structure is commonly known as the &quot;three lines of defense,&quot; and together these elements should form a strong and effective risk management framework.&#160; The guidance in this AB is consistent with the three lines of defense framework and sets forth FHFA's expectation that IA, as the third line of defense, is independent, objective, and effective at identifying and informing management and the audit committee about the regulated entity's risks and related controls.</p><p>FHFA expects Chief Audit Executives (CAEs)<a href="#3"><span style="text-decoration&#58;underline;">[3]</span></a> to establish and audit committees to oversee IA functions that&#58;&#160; </p><ul><li>Are independent and objective;</li><li>Continuously monitor key activities and associated risks;&#160; </li><li>Adapt audit approaches and activities to address changes; and</li><li>Identify and communicate internal control deficiencies and emerging, previously unidentified, or undervalued risks (<em>i.e.</em>, risks that have become more significant) to the audit committee and management.&#160;&#160;&#160;&#160;<br><br>FHFA further expects audit committees, through their direction to and oversight of CAEs and IA functions, to validate that staffing and resource decisions take appropriate account of the risks at the regulated entity.&#160; FHFA expects that these decisions consider the entity's size, scale, complexity of operations, pace of innovation, and financial standing.</li></ul><p style="text-decoration&#58;underline;"> <strong style="font-size&#58;15px;"><em>Background</em></strong></p><p>FHFA recently published a revised rule, 12 CFR Parts 1236 and 1239, <em>Responsibilities</em><em> of Boards of </em> <em>Directors, Corporate Practices,</em><em> and Corporate</em><em> Governance</em><em> </em> <em>Matters</em>, that in part addresses regulated entities' audit committees' oversight of IA functions at the FHLBanks and the Enterprises.&#160; In addition, FHFA's standards for the FHLBanks and Enterprises specifically related to their audit committees and IA functions are in Standard 2 of the <em>FHFA</em><em> </em> <em>Prudential</em><em> </em> <em>Management</em><em> </em> <em>and Operations Standards</em><em> </em>(PMOS) (12 CFR Part 1236, Appendix).&#160; FHFA requirements relating to the OF's audit committee are set forth at 12 CFR 1273.9.</p><p>For the FHLBanks, the regulations prescribe specific details about the composition of the audit committee, the independence of its members, the content of the audit committee charter, and the duties and responsibilities of the audit committee, including its oversight responsibilities with respect to the IA function.<a href="#4"><span style="text-decoration&#58;underline;">[4]</span></a> </p><p>The OF is the FHLBanks' fiscal agent.&#160; It compiles and publishes the FHLBanks' Combined Financial Reports.&#160; The OF's audit committee composition, responsibilities, and charter are addressed in 12 CFR 1273.9 and are similar to those applicable to FHLBanks.&#160; The OF is not a Securities and Exchange Commission registrant.</p><p>For the Enterprises, regulations in 12 CFR 1239.5(b) require that all the board committees comply with requirements established by the New York Stock Exchange (NYSE) and that the audit committees also comply with the requirements of Section 301 of the Sarbanes-Oxley Act of 2002.<a href="#5">[5]</a>&#160; Relevant portions of the NYSE rules address the composition of the audit committee, the independence of its members, the general requirements for its charter, the responsibilities and duties of the audit committee (which include assisting the board in oversight of the IA function), and the need for audit committees to meet separately and periodically with management, CAEs, and independent auditors.<a href="#6">[6]</a>&#160; </p><p>Because the existing regulations and guidelines provide general requirements for oversight of the IA function, FHFA is issuing this AB to provide an additional level of detail on the responsibilities of audit committees in their oversight of the IA function, as well as on the independence and operation of the IA function.&#160; This guidance reflects FHFA's supervisory expectations that the audit committee actively and rigorously oversees the IA function and that the function is independent, objective, and effective.&#160; Further, this guidance is informed by FHFA's understanding of industry best practices for IA governance and operations at larger and more complex financial institutions.</p><p>In addition, the provisions of this AB are consistent with IA guidance issued by the federal banking regulatory agencies.&#160; That guidance includes the <em>Interagency Policy Statement on the Internal Audit Function and its Outsourcing</em> (March 17, 2003) and the Federal Reserve Board's <em>Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing</em> (January 23, 2013).&#160; This AB is also consistent with the <em>OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; </em> <a href="https&#58;//www.federalregister.gov/regulations/1557-AD78/occ-guidelines-establishing-heightened-standards-for-certain-large-national-banks-federal-savings-as"> <span style="text-decoration&#58;underline;"> <em>Integration of 12 CFR Parts 30 and 170</em></span></a> (effective November 10, 2014) and with guidance in the October 27, 2009 FHFA <em>Examination for Accounting Practices</em> document, which remains in effect.&#160; </p><p style="text-decoration&#58;underline;"> <em style="font-size&#58;15px;"> <strong>Guidance</strong></em></p><p>&#160;&#160;&#160;&#160;&#160; <strong>I.</strong>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <strong>Audit </strong> <strong>Committee Oversight of the </strong> <strong>IA Function</strong></p><p>The board of directors of each regulated entity is required to have an audit committee responsible for overseeing the IA function and an individual responsible for the IA function (referred to in this document as the CAE, regardless of that individual's title).&#160; The audit committee should have regular and open communications with the CAE.</p><p>The audit committee should direct the CAE to structure the IA function so that it is appropriately designed, independent, and objective, and so that it effectively identifies and assesses risks.&#160; The committee should confirm that the regulated entity's IA audit methodology is established and activities are conducted in accordance with appropriate professional standards, such as the Institute of Internal Auditors' <em>International</em><em> </em> <em>Standards for the Professional </em> <em>Practice </em> <em>of Internal Auditing</em><em> </em> <em>(IIA Standards). </em>&#160;The CAE should periodically review IA's audit methodology with the committee and the committee should approve the methodology and significant changes thereto.&#160; Further, the audit committee should oversee the process by which issues that are reported by IA are promptly addressed and satisfactorily resolved by management.</p><p>A.&#160;&#160;&#160; <em>Audit </em> <em>Committee</em><em> </em> <em>Charter</em><em> </em> <em>and the </em> <em>Internal</em><em> Audit </em> <em>Function</em></p><p>The audit committee is required to operate pursuant to a written charter,<a href="#7"><span style="text-decoration&#58;underline;">[7]</span></a> which should be reviewed at least annually by the audit committee and full board of directors (board), and be re-approved at least every three years by the board.<a href="#8"><span style="text-decoration&#58;underline;">[8]</span></a> &#160;</p><p>FHFA expects that, at a minimum, the audit committee charter will address the following matters regarding the IA function&#58;<a href="#9"><span style="text-decoration&#58;underline;">[9]</span></a></p><ul><li>CAE selection, evaluation, compensation, and where appropriate, replacement&#58;&#160; The charter should establish that the CAE may be hired or removed only with audit committee approval.</li><li>CAE reporting relationships&#58; &#160;The charter should establish that the CAE reports directly to the audit committee and is ultimately accountable to the audit committee and board of directors in order to maintain independence and objectivity.</li><li>CAE access to the audit committee&#58; &#160;The charter should provide the CAE with unrestricted access to the committee without the need for any prior management knowledge or approval and should establish executive session meetings with the CAE. </li><li>Annual review and approval of the Audit Plan&#58; &#160;The committee should confirm that the scope of IA's activities is appropriate and approve the annual Audit Plan and significant changes thereto.</li><li>Annual review and approval of the IA department's budget&#58; &#160;The committee should confirm that IA has sufficient resources to accomplish its objectives and approve the department's budget.<br>&#160;</li></ul><p>B.&#160;&#160;&#160; <em>Audit </em> <em>Committee Communication</em><em> with </em> <em>Internal</em><em> </em> <em>Audit</em></p><p>The audit committee and the CAE, including IA staff, should have unrestricted access to each other without prior management knowledge or approval. &#160;FHFA expects audit committee leadership to discuss audit matters with the CAE between and apart from regular audit committee meetings to stay current on IA operations, emerging risks, and other relevant matters. &#160;If significant issues arise in these discussions, they should be covered timely with the committee. &#160;Regular executive sessions with the CAE are essential to ensure open and complete communications. &#160;These executive sessions should be confidential, closed to management, and should be regularly scheduled.</p><p>An important component of effective communications between the CAE and audit committee are the regular written reports to the audit committee prior to each meeting and otherwise as warranted.&#160; Regular written reports from IA to the committee should generally address&#58;</p><ul><li>Audit Findings and Risk Analyses&#58;</li><ul><li>Audit reports focusing on less than satisfactory findings;</li><li>Significant and higher-risk issue follow-up information, including potential impact, aging, past-due status, root-cause analysis, progress towards remediating significant findings, and thematic trends;</li><li>Clear, timely, detailed reporting on open remediation plans, along with associated timetables that were agreed upon by stakeholders for significant open audit issues;</li><li>Information on significant industry and institution trends in risks and controls;&#160; </li><li>An assessment of risk management processes, including whether monitoring processes are appropriate and the effectiveness of management's self-assessment and remediation of identified issues; and</li><li>Aggregate information on the nature of significant trends, if any, in audit findings and observations that have been communicated to management but not detailed in reports to the audit committee.</li></ul><li>Audit Department Performance and Processes&#58;</li><ul><li>Audit coverage and completion versus the Audit Plan;</li><li>Budgeted versus actual audit hours;</li><li>Any updates or amendments to the Audit Plan, including support for changes;</li><li>Results of internal and external quality assurance reviews;</li><li>Updates on the status of IA annual goals and objectives;</li><li>Significant changes in audit staffing levels and the status of required staff training;</li><li>Information on major projects and initiatives; and</li><li>Any significant changes in IA processes, including a periodic review of key IA policies and procedures.</li></ul></ul><p>C.&#160;&#160;&#160; <em>Monitoring</em><em> and </em> <em>Performance </em> <em>Assessments</em></p><p>The audit committee should maintain a robust process for monitoring and, at least annually, formally assessing and evaluating CAE performance and the effectiveness of the IA function.&#160; The process should generally incorporate input from senior management and external auditors, from any outside peer reviews or assessments including regulatory examinations, and from the audit committee's own observations of and interactions with the CAE and IA staff.&#160; The audit committee should document its assessments of the CAE's and IA function's performance.</p><p>&#160;&#160;&#160; <strong>II.</strong>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <strong>IA Independence and Objectivity</strong></p><p>A.&#160;&#160;&#160; <em>Conflicts</em><em> of </em> <em>Interest</em></p><p>Before appointing a CAE, and thereafter at least annually, the audit committee should confirm with the CAE and document whether the CAE has any actual or apparent conflicts of interest and should develop appropriate limits for the CAE's activities accordingly.&#160; If an audit committee considers a candidate for CAE with potential conflicts of interest, the conflicts, and any mitigating considerations, should be disclosed to and discussed by the audit committee and should be clearly documented in audit committee records.</p><p>Similarly, the CAE should regularly assess whether IA staff has actual, potential, or apparent conflicts of interest and appropriately restrict the activities of the staff to avoid those conflicts.&#160; At least annually, the CAE should confirm IA activities' independence to the audit committee.&#160; To help maintain the highest level of objectivity in the IA function, CAEs should consider rotating assignments for lead auditors and audit staff when feasible.</p><p>B.&#160;&#160;&#160; <em>Placement</em><em> of</em><em> </em> <em>IA</em><em> </em> <em>in the</em><em> Organization</em></p><p>Properly positioning the CAE and the IA function in a regulated entity's organization helps achieve objectivity and independence of the IA function and minimizes the opportunity for management to unduly influence, override, or limit IA activities or findings. &#160;The most structurally independent organizational arrangement for the IA function would have the CAE report directly to the audit committee regarding both audit issues and administrative matters.&#160; However, the CAE may report administratively to the Chief Executive Officer (CEO) if the audit committee so approves.<a href="#10">[10]</a></p><p>Board and senior management engagement and cooperation with IA are essential to its effectiveness.&#160; Boards and management should give IA full and unconditional access to any records and data, including access to management information systems and records and the minutes of all board and management committee meetings.&#160; FHFA expects IA to have access to management committee meetings and related materials in an ex-officio capacity, and any exceptions should be discussed and reconciled with the audit committee.&#160; Boards and management should also require timely remediation of audit issues.</p><ol><li> <em>Scope </em> <em>Limitations</em></li></ol><p>Should management attempt to hinder IA's objectivity and independence, for example, by restricting IA's access to records or personnel, IA staff should disclose to and discuss such attempts with the CAE. &#160;If the scope of an audit is affected by management's action, the limitation should be disclosed in the audit report and documented in the associated work papers.&#160; The CAE should report any attempts to hinder IA's objectivity and independence or limit the scope of an audit activity to the audit committee, generally through the chair, immediately for appropriate resolution.</p><p>D.&#160;&#160;&#160; <em>Internal</em><em> </em> <em>Audit </em> <em>Compensation</em><em> </em> <em>Arrangements</em></p><p>CAE compensation, which should be approved by the audit committee, should include an appropriate focus on performing audit activities and should only include incentives tied to actions and outcomes within the CAE's control and influence.&#160; Audit committees should not link CAE incentive compensation to the regulated entity's financial position, results of operations, achieving growth or volume targets, business unit compliance levels, or other measures or metrics that could impair or appear to impair IA independence or objectivity.&#160; CAE compensation should be reasonable and comparable with compensation for employment in other similar businesses (including publicly held financial institutions or major financial services companies) involving similar duties and responsibilities.&#160; To these ends, consulting with and obtaining input from a regulated entity's compensation committee may provide useful insights. </p><p style="text-align&#58;justify;">&#160; <strong>III.</strong>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <strong>IA Attributes and Operations </strong> <br></p><p>A.&#160;&#160;&#160; <em>IA Function Attributes</em><br></p><p>1.&#160;&#160;&#160;&#160; <em>Internal Audit</em><em> </em> <em>Department</em><em> Charter</em></p><p>The IA department should have a written charter, which should be reviewed at least annually and be approved by the audit committee every three years or whenever substantive changes are made.&#160; The charter should define the purposes, authorities, and responsibilities of the IA function.&#160; The charter is the foundational document governing all IA activities.&#160; The charter should generally cover&#58;</p><p>&#160;</p><ul><li>IA Department Structure and Independence</li><ul><li>Indicate the IA function's placement within the regulated entity, the CAE's and IA function's authority, the CAE's functional reporting relationship to the audit committee, and the CAE's administrative reporting to senior management, if any;</li><li>Stipulate that IA has unrestricted access to the audit committee and authorize staff to access all regulated entity records and personnel needed to carry out their function; and</li><li>Require the IA function to maintain its independence and objectivity, particularly if IA provides non-attest services, such as consulting on internal controls design for information technology projects, performing financial reporting internal controls testing under management direction, and/or identifying potential operating inefficiencies for management.</li></ul><li>Applicable Standards and Codes of Ethics</li><ul><li>Identify standards applicable to the IA function and staff, including any professional standards, such as the Institute of Internal Auditors (IIA) Standards; and</li><li>Identify codes of ethics and requirements with which IA staff must comply.&#160; These may include both the regulated entity's own written code and one or more professional standard codes, such as the IIA's Code of Ethics.</li></ul><li>Reporting</li><ul><li>Indicate regular reports and items that the IA function is required to provide to the audit committee, including audit plans and annual budget and resource requirements; </li><li>Require timely reporting of significant deviations from approved plans; and</li><li>Require the IA function to monitor and report its activities and management's responses to IA findings, and track, assess, and regularly report on management's remedial actions regarding significant open compliance and regulatory examination issues.</li></ul><li>Performance Assessment and Quality Assurance</li><ul><li>Require the IA function to regularly assess its performance, including its performance relative to the Audit Plan;</li><li>Require the IA function to maintain internal quality assurance processes and programs, and document how weaknesses identified as a result of such processes and programs are addressed; and</li><li>Establish the timeframe for regular external quality reviews (at a minimum every five years) and require the IA function to document how any weaknesses, recommendations, or best practice suggestions identified as a result of such external quality reviews are addressed.</li></ul></ul><p>2.&#160;&#160;&#160;&#160; <em>IA</em><em> Staffing </em> <em>and</em><em> Professional </em> <em>Competence</em></p><p>The IA function needs sufficient staff with the requisite knowledge, skills, professional competence, resources, and stature within the regulated entity to assess the effectiveness of the regulated entity's controls and to credibly challenge management.</p><p>A regulated entity should have policies and procedures designed to reinforce that&#58;</p><ul><li>The IA function hires and maintains sufficient, technically competent staff to provide adequate audit coverage of the regulated entity's risks;</li><li>IA staff are provided appropriate training and professional development opportunities to enable them to remain current in both technical matters and professional standards; and</li><li>IA staff understand their duties, including the duty to report instances of non-compliance with laws, regulations, regulatory guidance, generally accepted accounting principles, professional standards, or the regulated entity's own policies to the CAE, management, and/or the audit committee, as appropriate. </li></ul><p>Collectively, IA staff, supplemented as needed by external resources, should have the knowledge and skills, as evidenced by education and audit, industry, and technical experience, to audit the entire regulated entity. &#160;Relevant and current professional certifications and licenses provide evidence of certain technical knowledge and skills.&#160; Generally, IA staff should audit business units or functions related to their areas of expertise.</p><p>At least annually, the CAE is expected to assess and document the knowledge, skills, and abilities of IA staff and compare those with both the Audit Plan and the universe of risks in the regulated entity. &#160;When assessing the knowledge, skills, and abilities of IA staff, the CAE may consider management feedback and internal or external quality assurance assessments.&#160; If the assessment identifies gaps within IA staff knowledge, skill, and abilities, the CAE should identify a means for filling those gaps, which might include staff training, hiring new staff, and/or using co-sourcing or outsourcing arrangements.&#160; The CAE should report the results of the assessment to the audit committee.</p><p>The CAE should confirm that he/she and all IA staff receive ongoing formal training.&#160; CAEs and staff should generally receive a minimum of forty hours of training per year. &#160;The IA function should have a process to evaluate and monitor the quality and appropriateness of training.&#160; In addition to formal training, IA staff may benefit from staff rotations, both within the IA department and with business and risk management functions, in order to provide IA staff with broader exposure to those functions and opportunities to develop additional areas of expertise.&#160; We encourage such rotations where they are feasible and can be done without compromising audit coverage and IA independence.</p><ol><li> <em>Co-sourcing</em><em> and</em><em> Outsourcing</em><em> </em> <em>Internal</em><em> </em> <em>Audit</em><em> </em> <em>Activities</em></li></ol><p>The IA function may be staffed using IA employees solely or by supplementing them with co-sourced or outsourced resources.<a href="#11"><span style="text-decoration&#58;underline;">[11]</span></a>&#160; Co-sourcing or outsourcing engagements are generally entered into when a regulated entity has insufficient staff to complete planned audits in a timely manner or needs technical expertise beyond that of the IA staff.&#160; The CAE retains responsibility for managing and providing the audit committee with reports to enable the audit committee to oversee all IA work, whether done by IA staff, co-sourced, or outsourced.</p><p>Co-sourcing is a partnership between IA and an outside vendor (auditor or firm) that works with and often alongside, but does not replace, existing IA staff. &#160;In co-sourcing, IA staff takes an active part in project planning and decision making and may participate in preparing final reports.&#160; Further, IA manages and/or works alongside the specially-skilled partner(s) or vendor(s).&#160; One objective of co-sourcing may be to transfer knowledge from the vendor to IA. &#160;In a co-sourcing arrangement, the vendor has a dual reporting relationship to IA and the vendor's own management.&#160; The CAE should require in associated contracts with co-sourced partners that work complies with applicable IA policies and standards and that the workpapers associated with the co-sourced work are retained by IA, not the vendor.&#160; </p><p>Under an outsourcing arrangement, the outside vendor (auditor or firm) is responsible for performing discrete IA engagements.&#160; The CAE maintains ownership of the entire IA function, including outsourced activities.&#160; When outsourcing audit work, the CAE should approve the scope of work and procedures to be performed. &#160;The CAE remains responsible for results of outsourced work, including findings, conclusions, and recommendations.</p><p>Before hiring a vendor to perform IA work, the CAE should confirm that&#58;&#160; the vendor and staff who will work on the engagement have the technical knowledge and ability to perform the work; the engagement will be effectively managed; the vendor's work will be well-documented; that all control weaknesses and other significant findings, including any apparent regulatory violations, will be timely communicated to the CAE and other stakeholders; and that the regulated entity has appropriate contingency plans should a vendor be released or terminated before completing the engagement.</p><p>Co-sourced and outsourced audit work should be completed pursuant to an engagement letter or similar agreement covering all significant aspects of the engagement.&#160; Such engagement letters should generally&#58;</p><ul><li>Describe expectations and responsibilities for the regulated entity and the vendor;</li><li>Define the work to be performed and the amount and timing of fees to be paid;</li><li>Describe the responsibilities for providing and receiving information, including the type and frequency of contract work status reporting to the CAE and the audit committee;</li><li>Describe the process for changing engagement terms, such as for expanding work if significant issues are identified;</li><li>Define conditions that would constitute default and remedies including canceling the engagement;</li><li>Establish who bears the cost of damages arising from errors, omissions, and negligence;</li><li>State that the vendor will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of a member of management or an employee and, if applicable, will comply with American Institute of Certified Public Accountants, Securities and Exchange Commission, Public Company Accounting Oversight Board, and other relevant professional standards, and other applicable regulatory guidance; and</li><li>For any engagements where reports or workpapers will be retained by the vendor&#58;</li><ul><li>Establish that reports created by the vendor during the engagement are the property of the regulated entity, that the regulated entity will be provided with any copies of the related workpapers it deems necessary, and that employees authorized by the regulated entity will have reasonable and timely access to the workpapers prepared by the vendor;</li><li>Specify the locations of reports and the related workpapers and the length of time vendors must maintain workpapers;</li><li>State that FHFA examination staff will have full and timely access to vendor-created IA reports and related workpapers. </li></ul></ul><p> <strong>&#160;</strong></p><p>B.&#160;&#160;&#160; <em>Internal Audit Operations</em><br></p><p>1.&#160;&#160;&#160;&#160; <em>Internal Audit Risk </em> <em>Assessments</em></p><p>Regulated entities' IA universes (comprising all auditable entities<a href="#12"><span style="text-decoration&#58;underline;">[12]</span></a> that are significant and subject to risks for which controls should be reviewed) should be regularly updated for organizational changes.&#160; Audit plans should be formulated to provide reasonable assurance that a regulated entity's system of controls is well-designed, operates effectively, and manages risks to an acceptable level.&#160; At least annually, IA should perform a risk assessment that includes reviews of its IA universe and Audit Plan to ensure that all auditable entities receive audit coverage over an appropriate period of time commensurate with associated risks.&#160; </p><p>The IA risk assessment should include four basic steps&#58; &#160;1) identify inherent risks to the regulated entity; 2) understand management's controls over those inherent risks; 3) assess residual or remaining risks to establish the frequency with which activities should be audited; and 4) prioritize auditable entities from the audit universe for audit coverage. &#160;The IA risk assessment should also consider multiple approaches.&#160; For example a &quot;top-down&quot; approach could complement a bottom-up approach.&#160; A top-down approach begins with identifying industry, environmental, and other enterprise-wide current or emerging risks.&#160; A bottom-up approach starts with the audit universe, then assesses and aggregates risks attributable to auditable entities within the audit universe.&#160; </p><p>The CAE should perform the risk assessment annually and should document the IA staff's understanding of the entity's significant business activities and the associated risks.&#160; To facilitate risk assessment and audit planning, IA should maintain (or regularly review if such an inventory is maintained by independent risk management) a complete inventory of all of the regulated entity's material processes, product lines, services, and functions, and then assess the risks, including emerging risks, associated with each.&#160; The risk assessment should consider and address risks to the regulated entity from all sources, both internal and external.&#160; These include, but are not limited to, credit, market, operational, governance, reputational, fraud, and compliance risk.&#160; The assessment should also consider thematic control issues and layered or aggregated risks that cross business units or lines of business.&#160; The risk assessment should analyze and prioritize key risks and risk management functions.</p><p>While the risk assessment should reflect IA's independent analysis, IA may consider all available information, for example, input from management self-assessments. &#160;While the formal risk assessment is performed annually, IA should update it as needed for major organizational changes, infrastructure changes, or changes in the regulated entity's external business or regulatory environment.</p><p>As underlying technology has advanced, more business entities are using &quot;Continuous Monitoring&quot; (CM) tools to continuously assess and provide management feedback on whether business processes are performing effectively and &quot;Continuous Auditing&quot; (CA) tools, which allow IA to gather and review control-related business process data. &#160;</p><p>FHFA expects IA functions to employ formal CA and/or CM practices.&#160; CA and CM can be conducted by IA staff and/or through technological tools.&#160; In either case, it should be done pursuant to written policies and procedures that support consistent and comparable results.&#160; CA and CM should be documented through business metrics, management reporting, reports to audit committees, and through any related adjustments made to audit risk assessments and plans.&#160; IA should continuously monitor key business metrics and performance indicators. &#160;IA should work to understand changes and their drivers in order to help identify potential audit issues and changes in the business environment and to adjust risk assessments and audit plans, if needed, in a timely manner.</p><p>2.&#160;&#160;&#160;&#160; <em>Internal</em><em> </em> <em>Audit</em><em> </em> <em>Planning</em></p><p>At least annually, IA should review and update the Audit Plan.&#160; The Audit Plan should be based on the risk assessment and should consider key risks and related controls within each significant business and functional activity, the timing and frequency of planned IA work, and a resource budget. &#160;During the planning process, IA should analyze the regulated entity's specific risks, mitigating controls, and level of residual risk. &#160;The CAE should have a contingency plan to mitigate any significant disruption to audit coverage, particularly for high-risk areas. &#160;Documentation supporting the Audit Plan should reference the IA program that describes the objectives of the audit work and the audit work expected to be performed during each IA activity.</p><p>The audit planning process should include evaluating management's root cause and lessons learned analyses performed after a significant adverse event.&#160; IA should consider management's analysis of reasons for the adverse event and whether it resulted from a control breakdown or failure.&#160; IA should confirm that management correctly identified the measures needed to prevent a similar event from occurring in the future.&#160; In certain situations, IA should conduct its own lessons learned analysis outlining the remediation procedures necessary to detect, correct, and/or prevent future internal control breakdowns (including improvements in IA processes).</p><p>The audit planning process should also be designed to inform the board's responsibilities for risk oversight to include&#58;&#160; overseeing the regulated entity's operational and risk management; remaining informed about the regulated entity's operations and condition; and remaining informed about the entity's risk exposures and senior management's actions to address them. &#160;The Audit Plan should be designed to provide the audit committee with the depth and breadth of IA assurance it needs to inform those responsibilities.</p><p>3.&#160;&#160;&#160;&#160; <em>Internal Audit Coverage of Risk Management and Regulatory Compliance Programs</em></p><p>FHFA regulations require the Enterprises and FHLBanks to appoint a Chief Risk Officer (CRO) to implement and maintain appropriate enterprise-wide risk management practices and a Compliance Officer (CO) to head a compliance program designed to assure that they comply with applicable laws, rules, regulations, and internal controls.&#160; Both officers should regularly report to the board (in addition, the CRO reports to the Risk Committee) and to the CEO.&#160; These functions are part of the regulated entity's second line of defense, its independent risk management function, and are &#160;separate from first-line operating management but still under the direction and control of senior management.</p><p>IA is the regulated entity's third line of defense.&#160; IA should, through its risk assessment and auditing processes, provide the audit committee with independent assurance that enterprise risk management and compliance programs are working effectively, that those programs have identified and reported timely enterprise and compliance risks, and that significant risks are managed to an acceptable level.&#160; </p><p>4.&#160;&#160;&#160;&#160; <em>Internal Audit Frequency</em></p><p>Internal audits should generally cover the entire audit universe over a maximum four year period. &#160;High-risk areas should generally be audited annually, and moderate- and low-risk audits should be scheduled every 12 to 48 months (or one to four years) based on a risk assessment and ranking that is regularly reviewed and updated.&#160; FHFA expects that IA will weigh both inherent and residual risk when deciding on how frequently to audit an area and in considering the audit approach, including the nature and extent of testing. &#160;The CAE should confirm that higher level risks, including thematic trends and control issues, are not underreported due to being separately captured in moderate- or low-risk audits.<a href="#13"><span style="text-decoration&#58;underline;">[13]</span></a>&#160; Audit plans should be dynamic and include time to expand audit work when unexpected or higher risks are identified through CM activities, scheduled audits, or otherwise.&#160; The CAE should regularly report significant changes to the audit universe or audit plans to the audit committee, along with an analysis supporting the changes.</p><p>5.&#160;&#160;&#160;&#160; <em>Internal</em><em> </em> <em>Audit</em><em> </em> <em>Reports</em></p><p>IA reports should generally present the purpose, scope, objectives, and results of the audit, including findings, conclusions, observations, and/or recommendations however styled.&#160; Final reports should also document management's response to findings.&#160; IA should maintain work papers that document the work performed and support the audit report.</p><p>IA should establish and implement a documented methodology that employs appropriate criteria to prioritize and rank audit issues.&#160; The criteria should be sufficiently objective to promote consistent application of judgment and appropriate prioritization of audit issue severity.&#160;&#160;&#160;&#160; </p><p>6.&#160;&#160;&#160;&#160; <em>Internal Audit Issues Monitoring and Tracking</em></p><p>Audit committees should regularly receive clear, timely, and detailed reports on significant open violations, findings, weaknesses, and other issues, regardless of their original source.&#160; Issues that FHFA requires to be reported to audit committee chairs, whether by FHFA or regulated entities' management, including all FHFA Matters Requiring Attention (MRAs), should be presumed significant.&#160; Issues may originate from IA audits and reviews, external audit, regulatory examinations, management self-identification, outside consultants' work, and other sources.&#160; IA should also verify that significant risks and/or control deficiencies identified by first- and second-line of defense units, external auditors, or other parties are adequately assessed and communicated to management and board stakeholders.&#160; To facilitate the timely and effective remediation of open audit issues, IA and management or the board (as warranted) should agree on a resolution date and on interim milestones, if appropriate.&#160; </p><p>IA should establish standards for performing timely and appropriately rigorous validation work once management asserts that remediation of significant audit issues (to include MRAs) has occurred.&#160; When management or the board indicates that they have performed the required remediation, IA should validate that revised processes and controls are in place, operating, and sustainable before closing the issue.&#160; The level of validation work that IA should perform to close an issue will vary based on the issue's risk, complexity, and associated interdependencies.&#160; For higher-risk issues, IA should verify that sufficient testing is performed over an appropriate period of time to validate that the issue is sustainably resolved. </p><p>IA reports should include key information about open remediation plans and associated timetables agreed on by stakeholders.&#160; Reports should highlight significant issues with delayed remediation, including those for which management has made agreed-upon corrective steps and/or control design changes that are pending validation, until testing is complete.&#160; These steps should help to verify that control changes are effective and sustainable and to identify issues for which the planned remediation may need to be amended.</p><p>Regulated entities should establish and implement policies and/or procedures as appropriate for documenting, monitoring, tracking, and reporting on management's acceptance of risks for any management decision not to remediate audit issues, or for time extensions to perform agreed-upon remediation.&#160; If such accepted risks are individually or in aggregate more than insignificant, the CAE should consult with senior management and the audit committee as appropriate.</p><p>7.&#160;&#160;&#160;&#160; <em>Quality</em><em> Assurance </em> <em>Program</em></p><p>An effective IA Quality Assurance Program (QAP) should be implemented to help minimize audit risk, including the risk that an audit reaches inaccurate conclusions.&#160; A QAP should include regular internal processes and reviews, as well as an external Quality Assurance Review (QAR) to be performed at least every five years.&#160; </p><p>The internal QAP review should include rigorous reviews by IA management and/or peer reviews of reports and work papers for clarity, adherence to IA policies and procedures, and consistency with relevant professional standards.&#160; The QAP should help confirm that IA policies, procedures, and processes comply with applicable regulatory and industry guidance; are appropriate for the size, complexity, and risk profile of the regulated entity; are updated to reflect changes to internal and external risk factors, emerging risks, and improvements in industry; and are followed consistently.&#160; QAP reviews and self-assessments may be activity driven or ongoing.&#160; Gaps identified should be documented and addressed timely.&#160; The CAE should report the results of the QAP to the audit committee at least annually and results from the QAR and any other external review, as received.</p><p> <a name="1" id="1"><span style="text-decoration&#58;underline;">[1]</span></a> The OF is not a &quot;regulated entity&quot; as the term is defined in the Federal Housing Enterprises Financial Safety and Soundness Act as amended. &#160;However, for convenience, references to the &quot;regulated entities&quot; in this AB should be read to also apply to the OF.</p><p> <a name="2" id="2"><span style="text-decoration&#58;underline;">[2]</span></a> &quot;Management&quot; as the term is used in this guidance generally comprises the CEO and subordinate managers, who engage in business operations.</p><p> <a name="3" id="3"><span style="text-decoration&#58;underline;">[3]</span></a> As used in this guidance, the term &quot;Chief Audit Executive&quot;&#160;means the individual responsible for the internal audit function at a regulated entity.</p><p> <a name="4" id="4"><span style="text-decoration&#58;underline;">[4]</span></a> 12 CFR 1239.32.</p><p> <a name="5" id="5"><span style="text-decoration&#58;underline;">[5]</span></a> Section 301 of the Sarbanes-Oxley Act does not directly address the audit committee's oversight of the IA function.</p><p> <a name="6" id="6"><span style="text-decoration&#58;underline;">[6]</span></a> NYSE Listed Company Manual, Rule 303A.07.</p><p> <a name="7" id="7"><span style="text-decoration&#58;underline;">[7]</span></a> 12 CFR 1239.5(c).</p><p> <a name="8" id="8"><span style="text-decoration&#58;underline;">[8]</span></a> For the FHLBanks, annual review by the committee and the full board, and re-approval by the board at least every three years are required by regulation.&#160; 12 CFR 1239.32(d).</p><p> <a name="9" id="9"><span style="text-decoration&#58;underline;">[9]</span></a> For the FHLBanks, these items, except audit committee approval of IA department budget approval, are regulatory requirements. &#160;12 CFR 1239.32(d) (3), (e) (3).</p><p> <a name="10" id="10"><span style="text-decoration&#58;underline;">[10]</span></a> 12 CFR Part 1273.9 (b) (5), which relates to the OF only, states &quot;the internal auditor shall report directly to the Audit Committee and administratively to executive management.&quot;</p><p> <a name="11" id="11"><span style="text-decoration&#58;underline;">[11]</span></a> Co-sourced and outsourced audit engagements should be awarded in compliance with the requirements for equal opportunity in employment and contracting under applicable provisions of the Minority and Women Inclusion and Diversity at Regulated Entities and the Office of Finance regulation, 12 CFR 1207.21.</p><p> <a name="12" id="12"><span style="text-decoration&#58;underline;">[12]</span></a> Auditable entities collectively comprise the potential audit universe and may represent business units, departments, processes, general ledger accounts, or other functions at a regulated entity that are suitable for audit.</p><p> <a name="13" id="13"><span style="text-decoration&#58;underline;">[13]</span></a> For example, if a regulated entity relies on user-developed spreadsheets across its operations, and IA has identified high level or thematic control issues regarding such spreadsheets, the incremental spreadsheet control risk in moderate- or low-risk auditable entities should be aggregated, addressed, and reported appropriately.</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac.&#160; This Advisory Bulletin is effective January 1, 2017. &#160;Contact David R. Poston, Deputy Chief Accountant, Office of Chief Accountant at <a href="mailto&#58;David.Poston@fhfa.gov"> <span style="text-decoration&#58;underline;">David.Poston@fhfa.gov</span></a> or 202-649-3467, or Nicholas J. Satriano, Chief Accountant, at <a href="mailto&#58;Nicholas.Satriano@fhfa.gov"> <span style="text-decoration&#58;underline;">Nicholas.Satriano@fhfa.gov</span></a> or 202-649-3450, with comments or questions pertaining to this bulletin.</td></tr></tbody></table><p>&#160;</p>11/29/2016 6:25:28 PM2327https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Data Management and Usage21352Fannie Mae & Freddie Mac9/29/2016 4:00:00 AMAB 2016-04<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​<strong>ADVISORY BULLETIN</strong></p><p> <strong>AB 2016-04</strong></p><p> <strong>DATA MANAGEMENT AND USAGE<span aria-hidden="true"></span></strong></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"><strong><em><br></em></strong></p><p style="text-decoration&#58;underline;"> <strong><em>Purpose</em></strong></p><p>This advisory bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency’s (FHFA) supervisory expectations for the management of data, including expectations for data governance, architecture, quality, and security. Strong data management supports safe and sound operations by enabling an Enterprise to provide secure, accurate, and accessible data to meet business needs and for use in risk management and compliance processes.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>Data management is the development, implementation, and enforcement of policies, procedures, and standards throughout the data lifecycle that establish how data are defined, shared, stored, protected, retrieved, and purged. Strong data management enables an Enterprise to reduce its exposure to operational, financial, and reputational risks. Consistent data management methods can reduce the likelihood of operational errors, adverse business decisions, and financial loss.</p><p>FHFA’s general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236. Standard 1 (Internal Controls and Information Systems) articulates the considerations for the board of directors and management to evaluate when establishing internal controls and information systems. FHFA expects the Enterprises to provide relevant, accurate, and timely information to decision-makers and personnel in risk management and compliance functions; to establish and test contingency arrangements for information systems storing data; and to communicate policies and procedures to all personnel with regard to their respective duties and responsibilities. Effective data management includes compliance with applicable laws and regulations and adherence to FHFA supervisory guidance.</p><p style="text-decoration&#58;underline;"> <strong><em>Guidance</em></strong></p><p>FHFA expects each Enterprise to have enterprise-wide data management policies, procedures, and standards. Data architecture should be integrated and provide scalable accessibility and effective utilization across the Enterprise as appropriate. Each Enterprise should establish data quality requirements so that data used for decision-making are relevant, accurate, complete, timely, and consistent. Data management practices should allow users to identify and access appropriate data for business, risk management, and compliance activities and functions. FHFA expects the confidentiality, integrity, and availability of data to be consistent with sound business practices and regulatory requirements.</p><p>Fundamental requirements in the following areas are detailed below&#58;</p><ul><li>Data Governance<br></li><li>Data Architecture<br></li><li>Data Quality<br></li><li>Data Security<br></li><li>Data Usage<br></li></ul><p> <em>Data Governance</em></p><p>Data governance provides the necessary framework to control and support data used in decision-making and risk management. Each Enterprise should establish a data strategy that supports organizational goals through data management, and effective policies, procedures, and standards to maintain the confidentiality, integrity, and availability of Enterprise data throughout the data lifecycle. Policies, procedures, and standards should cover, at a minimum, data architecture, data quality, data security, and data usage. Policies and procedures should establish data requirements; controls for assessing and monitoring data; assignment and coordination of individuals’ roles and responsibilities, including their authority to manage the data; and&#160;management support and accountability of data-related issues. Policies, procedures, and standards should be reviewed and updated at least annually and aligned with legal and regulatory requirements for records management.</p><p>In order to assure data oversight and accountability, an Enterprise should designate individuals to be responsible for managing data and representing the interests of relevant stakeholders. Defined responsibilities should include, at a minimum, identifying and monitoring controls for processing or storing data; managing content of both structured and unstructured data; and controlling data from internal and external sources. A senior-level management official should be responsible for and report on effective data management practices for each business unit or control function.</p><p>The Enterprises should monitor and enforce data policies, procedures, and standards. Instances of non-compliance should be identified and tracked through to resolution. Metrics to measure and communicate the effectiveness of the Enterprise’s data strategy should be developed and adopted.</p><p> <em>Data Architecture</em></p><p>Data architecture should define and support data requirements and formats, direct the integration of data, and align data investments with the data strategy. An Enterprise should establish data standardization requirements across the organization that are consistent with the data strategy and that reflect the needs of business and risk management functions. Adherence to those requirements should be confirmed throughout the data lifecycle. Each Enterprise should deploy data in a way that reduces redundancy and encourages the use of a single-source system of record for each element. Data should be maintained or archived pursuant to business, legal, and risk requirements to allow for recovery or evaluation of historical data outputs, whether stored in an Enterprise’s data center or in a hosted cloud environment. The use of data virtualization should consider appropriate data synchronization and integration.</p><p>Data models define the Enterprise’s technical requirements for data and the structure to support those requirements. Data modeling, in conformance with established standards, can support reliable data quality and reduce disparate data. In order to standardize data and track the flow of data, both business and technical metadata should be used to describe data characteristics for purposes of organization, collection, storage, and usage. Metadata can improve business collaboration, integration, and efficiency by providing organizational understanding of data and the business processes used by the Enterprises.</p><p> <em>Data Quality</em></p><p>An Enterprise should take steps designed to ensure that data are of an acceptable quality to meet business requirements and control function needs. Data should be sufficiently accurate, complete, timely, and consistent to enable the Enterprise to generate reliable results, such as for reporting and risk modeling. An Enterprise should have comprehensive data quality management policies and procedures that include outlining roles and responsibilities regarding the collection, dissemination, and maintenance of data, both created and acquired; defining data quality requirements for created data; defining data quality checks for acquired data; and requiring a mechanism for assessing and verifying data quality, data quality metrics, and data conformance requirements.</p><p>Data should be validated at different points in the lifecycle to assure it meets integrity requirements. An Enterprise should have a methodology for identifying and addressing data inconsistencies, problems, and defects. An Enterprise should design and implement controls intended to ensure quality of data in use, at rest, and moving through applications or databases. Data standardization should consider the relationships of data and how to maintain integrity of data from multiple sources. Tools and techniques should be employed to assure conformity to data quality standards. Data used for decision making should have auditable trails to confirm the quality of data.</p><p> <em>Data Security</em></p><p>Data must be protected against unauthorized and inappropriate use, modification, disclosure, and purging. Each Enterprise should have policies and procedures for monitoring and managing data security that are intended to ensure confidentiality, integrity, and appropriate availability of data. This includes the creation and maintenance of data classifications and controls consistent with the internal standards established in data governance, data architecture, and data quality management.</p><p>Data security management should contain specific security requirements established for categories of data, such as personally identifiable information, intellectual property, and non-public information. Data security controls should be commensurate with the security requirements. Each Enterprise should have procedures and processes to ensure that the controls are documented, reviewed, and tested related to those requirements. In order to secure data, an Enterprise should maintain a comprehensive inventory of databases and contents to identify and protect their data and dataflow. An Enterprise should identify and implement encryption controls that are consistent with industry standards and supervisory guidance.</p><p> <em>Data Usage</em></p><p>Data management enables relevant data to be used by an Enterprise to meet its business needs; manage business risks; and support risk management and compliance functions. Enterprise data, whether generated internally or acquired, should be available to business and risk functions to provide comprehensive, clear, and useful outputs. Reporting or risk modeling processes should accurately aggregate data and be able to be reconciled and validated. Reliance on manual processes to manipulate data should be limited to reduce the possibility of human error. Each Enterprise should establish procedures intended to ensure that reports conveying the same data are consistent enterprise-wide. Sufficient controls should be implemented to appropriately protect the confidentiality of distributed information derived from data.</p><p style="text-decoration&#58;underline;"> <strong><em>Related Guidance</em></strong></p><p> <em>Information Technology Investment Management, </em>Federal Housing Finance Agency Advisory Bulletin AB-2015-06, September 21, 2015.</p><p> <em>Cyber Risk Management Guidance, </em>Federal Housing Finance Agency Advisory Bulletin AB-2014-05, May 19, 2014.</p><p> <em>Operational Risk Management, </em>Federal Housing Finance Agency Advisory Bulletin AB-2014-02, February 18, 2014.</p><p> <em>Model Risk Management Guidance, </em>Federal Housing Finance Agency Advisory Bulletin AB- 2013-07, November 20, 2013.</p><p>12 CFR Part 1236 Prudential Management and Operations Standards, June 8, 2012.</p><p> <em>Safety and Soundness Standards for Information, </em>Office of Federal Housing Enterprise Oversight Policy Guidance PG-01-002, December 19, 2001.</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac. This advisory bulletin is effective immediately upon issuance. Contact Kari Walter, Senior Associate Director, Office of Governance, Compliance, and Operational Risk at <a href="mailto&#58;Kari.Walter@fhfa.gov">Kari.Walter@fhfa.gov</a> or Annie Golden, Supervisory Risk Analyst, Office of Governance, Compliance, and Operational Risk at <a href="mailto&#58;Annie.Golden@fhfa.gov">Annie.Golden@fhfa.gov</a> with comments or questions pertaining to this bulletin. </td></tr></tbody></table>9/29/2016 10:04:40 PM1456https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Fraud Risk Management18654Fannie Mae & Freddie Mac9/29/2015 4:00:00 AMAB 2015-07<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-07</strong><br></p><p> <strong>FRAUD RISK MANAGEMENT&#160;&#160;</strong></p></td></tr></tbody></table><p> <span style="text-decoration&#58;underline;"><strong><em>Purpose</em></strong></span></p><p>This Advisory Bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency's (FHFA) supervisory expectations for fraud risk management, including the establishment and maintenance of internal controls to prevent, deter, and detect fraud or possible fraud.&#160; </p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></span></p><p>Effective fraud risk management is essential to the safe and sound operations of the Enterprises.&#160; Potential exposure to the risk of fraud exists in Enterprise business operations.&#160; For example, single-family and multifamily mortgage operations have exposure to the risk of fraud associated with activities of borrowers, loan originators, mortgage brokers, loan sellers, attorneys, servicers, appraisers, property managers, and third parties engaged to perform functions relating to loans or the collateral securing the loans.&#160; Capital markets activities may expose an Enterprise to fraud committed by counterparties involved in securitizations.&#160; The Enterprises also have potential exposure to fraud risk resulting from insider malfeasance.<a id="ref1" href="#1"><font color="#0066cc">[1]</font></a></p><p>Fraud may subject an Enterprise to financial, operational, legal, or reputational harm.&#160; For example, mortgage fraud may result in financial losses for an Enterprise if a seller does not have the financial ability and willingness to honor its obligation to repurchase fraudulent loans.&#160; Other types of fraud may result in financial losses if the fraud is not fully covered by fidelity bond insurance.&#160; An Enterprise may be exposed to litigation or civil money penalties for failure to comply with fraud-related statutes and regulations.&#160; Further, fraud may cause reputational risk if an Enterprise's operations are used or perceived to be used to perpetrate fraud. &#160;While experience demonstrates that fraud may not be prevented completely, it may be deterred or reduced through appropriate anti-fraud procedures that are maintained and reviewed over time.</p><p> <span style="text-decoration&#58;underline;">Examples of Fraud</span> </p><p>The Enterprises may encounter various types of fraud.&#160; For example, mortgage fraud may occur in mortgage loans purchased for an Enterprise's own portfolios or for securitization.&#160; Fraud may be committed as part of the origination, underwriting, or closing process or in conjunction with the servicing of a loan on behalf of an Enterprise.&#160; </p><p>Mortgage-related fraud may be committed by various participants in the origination, selling, and servicing of mortgage loans.&#160; Borrowers may provide false identification, employment, or income information to obtain approval for a mortgage loan.&#160; Parties involved in loan originations, such as appraisers, attorneys, and title agencies, may engage in misrepresentation of collateral or performance of contracted responsibilities, or through diversion of funds.&#160; Sellers of mortgage loans may misrepresent underwriting standards or deliver a single mortgage loan multiple times.&#160; Servicers may divert custodial or other funds received to accounts used for their own purposes.&#160; </p><p>Mortgage-related fraud may be part of larger schemes that include originating mortgage loans through the use of straw borrowers, illegal property flipping, double-pledging of collateral, and builder bailouts.&#160; Post-origination mortgage fraud may target financially distressed borrowers to steal equity in or secure title to a property through fraudulent workout schemes or short sales.&#160; </p><p>Insider fraud (<em>i.e.</em>, fraud involving current or former employees and contractors) may include accounting fraud, payroll fraud, embezzlement, or collaboration with external parties in a fraud against an Enterprise or other financial institution.&#160; </p><p>The wide variation of possible fraudulent activities creates a broad range of fraud risk; therefore, an Enterprise should implement a risk-based approach to fraud risk management that takes into account the scope and potential harm to the Enterprise of possible fraud.</p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Guidance</em></strong></span></p><p>This Advisory Bulletin describes FHFA's expectations for the oversight of fraud risk management, key elements of a risk-based approach to fraud risk management, and the training and independent testing functions that should accompany an Enterprise's fraud risk management approach. &#160;As described below, FHFA expects the Enterprises will take steps to manage fraud risk in all business lines and operational functions.<a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Fraud-Risk-Management.aspx#footnote2"><font color="#0066cc">[2]</font></a></p><p> <span style="text-decoration&#58;underline;">Oversight of Fraud Risk Management</span></p><p>Each Enterprise's board of directors has a responsibility to ensure that the Enterprise's management is committed to effective fraud risk management and that the Enterprise has appropriate policies for preventing and detecting fraud or possible fraud.&#160; The Enterprise should have documented processes in place to appropriately inform the board about fraud risk management activities and significant instances of fraud or possible fraud.&#160; Fraud risk should be included in the risk management policies that are approved by the board or a committee thereof, and reviewed on a periodic basis.&#160; </p><p>The policies should establish the Enterprise's standards and reporting processes relating to fraud and possible fraud.&#160; The policies should designate the management official(s) responsible for the oversight of fraud risk management and define specific roles and responsibilities for personnel with fraud risk management responsibilities.&#160; </p><p>Enterprise management should develop and oversee the implementation of business unit policies and procedures to implement and support anti-fraud and regulatory reporting programs and controls consistent with the Enterprise's policies.&#160; Business unit policies should detail the Enterprise's fraud risk management processes, including risk assessments, internal controls, training, independent testing, fraud response protocols, and board and senior management reporting.&#160; </p><p>The Enterprise should provide for appropriate coordination across business lines and functions of fraud risk management activities and resources.&#160; Areas of coordination may include risk assessments, oversight of the design and implementation of anti-fraud and regulatory reporting programs and controls, and reporting to senior management and the board or a committee thereof, as appropriate, the results of the Enterprise's fraud risk management efforts.&#160; </p><p> <span style="text-decoration&#58;underline;">Elements of Fraud Risk Management</span></p><p>Effective fraud risk management should include&#58;</p><ul style="list-style-type&#58;disc;"><li>Ongoing risk assessments to determine areas of heightened risk for possible fraud and adequacy of the control environment. </li><li>Risk-based internal controls that are designed to prevent and deter fraud from occurring.</li><li>Risk-based internal controls that are designed to detect fraud when it occurs.</li><li>Processes for responding to and reporting fraud or possible fraud.</li></ul><p> <em>Risk Assessments</em> </p><p>An Enterprise should have an ongoing process for performing risk assessments to identify and assess risk of fraud and to evaluate controls in place to mitigate risk.&#160; Risk assessments should consider factors such as products, services, customers, counterparties, and geographic locations, and should cover business units and operational and control functions.&#160; Fraud risk assessments should provide the basis for internal controls to prevent and deter fraud and to detect fraud or possible fraud.&#160; An Enterprise should have in place a process for periodically updating fraud risk assessments and making associated changes to internal controls.&#160; </p><p> <em>Fraud Prevention and Deterrence</em></p><p>Each Enterprise should maintain effective internal controls designed to prevent and deter fraud.&#160; The type and scale of internal controls will vary depending on the operational area, product type, and fraud risk.&#160; Types of controls include segregation of duties; a system of proper authorizations; physical safeguards to prohibit access to assets and records; a system of independent checks; and records to provide an audit trail.&#160; </p><p>Internal controls should be clearly documented and subject to ongoing review to determine whether they are followed, are effective, and reflect current industry sound practices.&#160; With regard to potential insider fraud, policies related to the consequences of committing or concealing fraud should be communicated clearly to all personnel.&#160; </p><p> <em>Fraud Detection </em></p><p>The complexity and extent of the internal controls for detection of different types of potential fraud in different business activities should be based on the fraud risk assessment, in light of the size, structure, risks, complexity, and vulnerability to fraud of the particular activity.&#160; Fraud detection controls and tools may include, but are not limited to, internal and external tip hotlines; whistleblower vehicles; audits; quality control reviews; and analysis of financial, operational, and transaction data.&#160; Detection methods may involve a review of transactions for possible fraud and, where possible, should include a review for red flags that indicate fraud or possible fraud.&#160; Examples of red flags may include patterns of inconsistency in borrower information, loan documentation, servicer records, and significant servicer performance issues, as well as adverse public information. &#160;Additionally, an Enterprise may identify individuals and firms known to have been involved in fraud. &#160;Fraud detection procedures should document when findings will warrant the expansion of the scope of review consistent with current risk assessments.</p><p>Each Enterprise should have adequate information systems to timely capture information needed to detect fraud or possible fraud and comply with regulatory reporting requirements.&#160; </p><p> <em>Fraud Response and Reporting</em></p><p>Each Enterprise should have documented processes for evaluating and responding to various types of possible fraud and for complying with regulatory reporting requirements.&#160; An Enterprise should take steps to make its employees and third parties aware of methods by which they may report possible fraud relating to Enterprise operations.&#160; Furthermore, an Enterprise should ensure that its procedures and resources are sufficient to timely investigate possible fraud.&#160; </p><p>An Enterprise's process should address investigation procedures, protocols for gathering evidence, decision-making authority, internal and regulatory reporting, escalation protocols, remedial action, and disclosure.&#160; Individuals assigned to investigations should have the necessary training, authority, and skills to evaluate possible fraud and determine the appropriate course of action.&#160; The process should include a tracking or case management system(s) where allegations of fraud are logged.&#160; As appropriate, an Enterprise's procedures should also include a review of incidents to determine if improvements need to be made to processes or internal control systems to prevent future incidents of possible fraud.&#160; </p><p>Each Enterprise should have effective, risk-based processes to timely investigate potential fraud to minimize and prevent loss.&#160; Procedures should be in place for reporting investigation findings regarding fraud or possible fraud in accordance with regulatory requirements and Enterprise policy.&#160; </p><p> <span style="text-decoration&#58;underline;">Training</span></p><p>Each Enterprise should promote fraud awareness by conveying the importance of fraud prevention and penalties for fraud to all employees. &#160;Each Enterprise should provide and document adequate fraud risk management training that is risk-based and commensurate with trainees' roles and specific responsibilities.&#160; Training should include instruction on regulatory requirements and the Enterprise's policies and procedures to comply with those requirements.&#160; Board and senior management training should reflect their oversight role.&#160; Training should be updated as needed to reflect regulatory changes and industry sound practices, as well as changes to the Enterprise's risk assessments and internal controls.&#160; </p><p> <span style="text-decoration&#58;underline;">Independent Testing</span></p><p>Each Enterprise should conduct regular independent testing in all business lines to determine the overall adequacy and effectiveness of the Enterprise's fraud risk management.&#160; Testing scope, procedures performed, and findings should be documented.</p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Related FHFA Guidance</em></strong></span></p><p> <em>Enterprise Fraud Reporting</em>, Federal Housing Finance Agency Advisory Bulletin 2015-02, March 26, 2015, communicates to the Enterprises FHFA's fraud reporting requirements pursuant to 12 CFR Part 1233.</p><p> <em>Oversight of Single-Family Seller/Servicer Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2014-07, December 1, 2014, communicates to the Enterprises FHFA's supervisory expectations for managing counterparty risk associated with their relationships with single-family Seller/Servicers.</p><p> <em>Suspended Counterparty Program at 12 CFR Part 1227, </em>generally sets forth the requirements by which each regulated entity submits reports to FHFA when it becomes aware that an individual or institution with which it has been engaged in a covered transaction (as such term is defined in the regulation) within the previous three years has been convicted, debarred, suspended, or otherwise sanctioned, based on specified financial misconduct. &#160;FHFA may issue suspension orders in appropriate cases, requiring the regulated entities to cease doing business with such individuals or institutions.</p><p>________________________________ </p><p> <a id="1" href="#ref1">[1]</a> For purposes of this Advisory Bulletin, fraud occurs when a person(s), knowingly and willfully (1) falsifies, conceals, or covers up a material fact by any trick, scheme, or device; (2) makes any materially false, fictitious, or fraudulent statement or representation; or (3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry. </p><p> <a id="2" href="#ref2">[2]</a> The risk management guidance in this Advisory Bulletin complements the requirements for reporting fraud and possible fraud found in&#58; (i) 12 C.F.R. Part 1233, Reporting of Fraudulent Financial Instruments; (ii) 31 C.F.R. Parts 1010 and 1030, Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Housing Government Sponsored Enterprises; and (iii) Advisory Bulletin 2015-02, Enterprise Fraud Reporting (March 26, 2015).</p><div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. &#160;This advisory bulletin is effective immediately upon issuance. &#160;Contact&#160;Bobbi Montoya, Associate Director, Examination Standards Branch at&#160;<a href="mailto&#58;Bobbi.Montoya@fhfa.gov">Bobbi.Montoya@fhfa.gov</a>&#160;or&#160;(202)&#160;649-3406, Kathy Beach, Principal Advisor, Office os Supervision Policy at <a href="mailto&#58;Kathy.Beach@fhfa.gov">Kathy.Beach@fhfa.gov</a> or (202) 649-3521, or Ellen Joyce, Principal Risk Analyst, Risk Analysis Branch at <a href="mailto&#58;Ellen.Joyce@fhfa.gov">Ellen.Joyce@fhfa.gov</a> or (202) 649-3409 with comments or questions pertaining to this bulletin. &#160;&#160;</p></td></tr></tbody></table></div>9/29/2015 1:00:27 PM3037https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Information Technology Investment Management18591Fannie Mae & Freddie Mac9/21/2015 4:00:00 AMAB 2015-06<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​​​​​​​​​​​​ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-06</strong><br></p><p> <strong>INFORMATION TECHNOLOGY INVESTMENT MANAGEMENT&#160;&#160;</strong></p></td></tr></tbody></table><p> <br> <strong style="text-decoration&#58;underline;"> <em>Purpose</em></strong> </p><p>This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance on information technology (IT) investment management by Fannie Mae and Freddie Mac (the Enterprises).&#160; FHFA expects that each Enterprise's IT investment management will include sound governance and effective monitoring and reporting that reflect relevant risk assessments of the Enterprise.&#160; &#160;&#160;</p><div><div style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></div><div> <br> &#160;</div><div><p>The Enterprises' investments to maintain and improve their IT environments are critical to the success of business operations and strategic initiatives.&#160; Effective IT investment management contributes to safe and sound operations by enabling an Enterprise to confirm that IT investments are aligned with strategic priorities, support business operations, and deliver expected returns on investment. &#160;An effective process for funding IT projects should assist an Enterprise to assess costs and benefits of investments, manage interdependencies among related projects, identify risk exposures to third-party vendors, and plan the funding of multi-year projects over multiple budget cycles.&#160; </p><p>FHFA's standards for safe and sound operations are generally set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236.&#160; In particular, PMOS Standard 1.4 (Internal Controls and Information Systems, Framework) articulates the requirement for an effective system of internal controls, which includes a board-approved organizational structure that clearly assigns responsibility, authority, and reporting relationships, as well as appropriate segregation of duties.&#160;&#160;</p></div><div> <em> <span style="text-decoration&#58;underline;"> <strong>Guidance</strong></span></em></div><div> <br> &#160;</div><div> <span style="line-height&#58;1.6;">FHFA expects that each Enterprise's IT investment management will include sound governance and effective monitoring and reporting that reflect relevant risk assessments of the Enterprise. &#160;</span><span style="line-height&#58;1.6;">An Enterprise may develop and refine its IT investment management based on sound industry practices, such as the Control Objectives for Information and Related Technology (COBIT) framework issued by the Information Systems Audit and Control Association (ISACA).</span><span style="line-height&#58;1.6;">&#160;</span> <p></p><p> <em>Governance</em></p><p>Each Enterprise should maintain sound governance over IT investments using a risk-based approach at both the portfolio level and at the project level to confirm that the Enterprise's IT investments are aligned with enterprise strategic priorities and line of business objectives.&#160; Governance should address funding of IT projects and prioritization of project funding based upon risk assessments for proposed investments, cost-benefit analyses, and requirements for diversity and inclusion practices in contracting, <strong> </strong><a id="ref1" href="#1"><strong> </strong><span><strong> </strong><font color="#0066cc"><strong>[1]</strong></font></span></a><strong>&#160;</strong>among other factors.</p><p>The governance over IT investments should clearly define the roles and responsibilities of stakeholders, including the board of directors, business leads, and IT management.&#160; Delegations of authority should be established and subject to periodic review, and exceptions to delegated authority should be documented.&#160; The governance process should confirm that appropriate risk control functions have input into IT funding decisions at both project and portfolio levels. &#160;</p><p>Setting IT investment priorities is a key component of governance.&#160; Risk assessments should be performed for IT funding proposals to identify potential risks at the project and portfolio level.&#160; In addition, cost-benefit analyses should be conducted to inform the prioritization of IT investments and funding decisions.&#160; </p><p>Ensuring sustainability of IT investments is essential for mitigating risks such as operational disruptions, security lapses, or system degradation.&#160; Strong governance and oversight of IT investments should be designed to enable an Enterprise to ensure that its IT environment remains current and that IT investments are sustainable.&#160; Budgeting should include long-term IT investments over multiple budget cycles, not only for new projects, but also for ongoing maintenance such as routine service, periodic modification, equipment replacement, enhancement of security features, and patch management.&#160; Effective IT investment governance should also include a regular review function to monitor project management practices against established standards, practices, and internal controls.&#160; </p><p> <em>Monitoring and Reporting</em></p><p>Each Enterprise should maintain a process for tracking IT investments and the performance of funded projects.&#160; Monitoring and reporting are essential tools for management to ensure timely identification of changes to project schedules or budgets and the opportunity to ensure that issues are addressed through appropriate governance mechanisms. &#160;Effective monitoring and reporting &#160;for IT investments should assist management in ensuring ongoing alignment of the IT project portfolio with strategic objectives and business operating plans, and in maintaining current information on budgets, timelines, and project interdependencies.&#160; </p><p>IT investment management requires periodic performance reporting that provides senior management and the board of directors with appropriate dashboards or similar reports to capture results for performance objectives.&#160; Such reports should inform decision-makers about the sustainability and viability of both existing and future projects.</p><p style="text-decoration&#58;underline;"> <i> <strong>Related Guidance</strong></i></p><p> <em>Guidance on Cyber Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin AB‑2014-05, May 19, 2014.</p><p> <em>Guidance on the Retirement of the Microsoft Windows XP Operating System</em>, Federal Housing Finance Agency Advisory Bulletin AB-2014-04, March 20, 2014. </p><p> <em>Operational Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin AB‑2014‑02, February 18, 2014. </p><p> <em>Safety and Soundness Standards for Information</em>, Office of Federal Housing Enterprise Oversight Policy Guidance PG-01-002, December 19, 2001.&#160;</p><p>​________________________________</p><p></p><p> <a id="1" href="#ref1"> [1]</a> 12 CFR § 1207.21 requires that the Enterprises develop, implement, and maintain policies and procedures to ensure, to the maximum extent possible in balance with financially safe and sound business practices, the inclusion and utilization of minorities, women, individuals with disabilities, and minority-, women-, and disabled-owned businesses in procurement and all types of contracts.</p></div></div><div>​ <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> ​​​​​​Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance,&#160;Fannie Mae, and Freddie Mac. &#160;This advisory bulletin is effective immediately upon issuance. &#160;Contact&#160;Bobbi Montoya, Associate Director, Examination Standards Branch at&#160;<a href="mailto&#58;Bobbi.Montoya@fhfa.gov">Bobbi.Montoya@fhfa.gov</a>&#160;or&#160;(202)&#160;649-3406, John McNicholas, Senior Examiner (Policy), Examination Standards Branch&#160;at <a href="mailto&#58;John.McNicholas@fhfa.gov">John.McNicholas@fhfa.gov</a> or&#160;(202) 649-3525&#160;or&#160;Anne Paulin, Principal Risk Analyst, Risk Analysis Branch at <a href="mailto&#58;Anne.Paulin@FHFA.gov">Anne.Paulin@fhfa.gov</a> or (202) 649-3421 with comments or questions pertaining to this bulletin. &#160;&#160;</p></td></tr></tbody></table> ​</div>9/28/2015 7:07:16 PM1589https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Rescission of Division of Enterprise Regulation Guidance Documents17619Fannie Mae & Freddie Mac3/26/2015 4:00:00 AMAB 2015-03<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​​​​​ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-03</strong><br></p><p> <strong>RESCISSION OF DIVISION OF ENTERPRISE REGULATION GUIDANCE DOCUMENTS&#160;</strong></p></td></tr></tbody></table><p> <br> <strong style="text-decoration&#58;underline;"> <em>Purpose</em></strong> </p><p>The Federal Housing Finance Agency (FHFA) is issuing this advisory bulletin to rescind five examination guidance documents issued by the Office of Federal Housing Enterprise Oversight (OFHEO).</p><div><div> <br> &#160;</div><div style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></div><div> <br> &#160;</div><p>In an effort to keep guidance related to the examination process current, FHFA regularly reviews outstanding guidance, including guidance issued by its predecessor agencies. &#160;As a result of the most current review, FHFA has determined that five guidance documents issued by OFHEO should be rescinded. &#160;These five guidance documents have been superseded by FHFA guidance, or restate regulations without providing additional guidance, or are no longer relevant or applicable in the current environment. &#160;</p><div> <br> &#160;</div><div style="text-decoration&#58;underline;"> <strong><em>Guidance</em></strong></div><div> <br> &#160;</div><div>This Advisory Bulletin rescinds&#58;</div><div>&#160;</div><div><ul><li>PG-00-001&#58; Minimum Safety and Soundness Requirements (12/19/2000)<br></li><li>PG-00-002&#58; Non-Mortgage Liquidity Investments (12/19/2000)<br></li><li>PG-06-001&#58; Examination for Corporate Governance (11/8/2006)<br></li><li>PG-06-003&#58; Examination for Accounting Practices (11/8/2006)<br></li><li>PG-08-002&#58; Standards for Enterprise Use of the Fair Value Option (4/21/2008)<br></li></ul></div></div><div>​<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> ​​​​​​Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. &#160;Contact Bobbi Montoya, Associate Director, Office of Supervision Policy at (202)&#160;649-3406 or <a href="mailto&#58;Bobbi.Montoya@fhfa.gov">Bobbi.Montoya@fhfa.gov</a> or Carol Connelly, Principal Examiner, Examination Standards Branch, at (202) 649-3232 or <a href="mailto&#58;Carol.Connelly@fhfa.gov">Carol.Connelly@fhfa.gov​</a>, with comments or questions pertaining to this bulletin.&#160;&#160;</p></td></tr></tbody></table><br>​</div>3/26/2015 5:00:19 PM1864https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Enterprise Fraud Reporting17620Fannie Mae & Freddie Mac3/26/2015 4:00:00 AMAB 2015-02<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​​​​ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-02</strong><br></p><p><strong>ENTERPRISE FRAUD REPORTING</strong></p></td></tr></tbody></table><p> <br> <strong style="text-decoration&#58;underline;"><em>Purpose</em></strong> </p><p>This advisory bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency’s (FHFA) fraud reporting requirements pursuant to 12 CFR Part 1233 (FHFA Regulation).</p><p>This advisory bulletin rescinds and replaces FHFA’s Regulatory Policy Guidance RPG-2011-001, <em>Reporting of Fraudulent Financial Instruments</em>, dated March 2011.</p><div><p style="text-decoration&#58;underline;"><strong><em>Background</em></strong></p><p>​The Housing and Economic Recovery Act of 2008 (HERA) subjects the Enterprises to fraud reporting (12 U.S.C. Section 4642) and requires an Enterprise to submit to FHFA a &quot;timely&quot; report upon discovery that it has purchased or sold a fraudulent loan or financial instrument, or when it suspects a possible fraud related to the purchase or sale of any loan or financial instrument.&#160; </p><p>The FHFA Regulation implements the timely reporting requirement of HERA (12 CFR Section 1233.3(a)(1)) and requires immediate notification to the Director of FHFA upon the discovery of any situation that would have a significant impact on an Enterprise (12 CFR Section 1233.3(a)(2)).&#160; The FHFA Regulation grants the Director authority to determine procedures by which the Enterprises will submit such reports (12 CFR Section 1233.3(b)).&#160;&#160;</p><p style="text-decoration&#58;underline;"><strong><em>Guidance</em></strong></p><p>The Enterprises should adhere to the guidelines in this advisory bulletin for reporting fraud or possible fraud to FHFA in compliance with the FHFA Regulation and for super​visory oversight purposes. &#160;&#160;</p><p><em>Immediate Notification</em></p><p>To comply with the immediate notification requirement in the FHFA Regulation, an Enterprise should notify the Director’s designee(s) electronically, through secure methods established by FHFA, within one calendar day from when an Enterprise becomes aware of fraud or possible fraud as defined in the FHFA Regulation that may have a significant impact on the Enterprise. &#160;Fraud or possible fraud is considered to have a significant impact if it may create substantial financial or operational risk for the Enterprise, whether from a single event/incident or because it is systemic. &#160;Fraud or possible fraud is also considered significant if it involves a member of the board of directors, officer, employee, or a contractor temporarily engaged to fill a position or perform a particular function at an Enterprise or other individual similarly engaged by an Enterprise. &#160;</p><p>The Enterprise should provide periodic updates to its board of directors, or a committee thereof, of all fraud or possible fraud requiring immediate notification.</p><p><em>Timely Reporting</em></p><p>To comply with the timely reporting requirement in the FHFA Regulation, an Enterprise should adhere to the following two reporting requirements.&#160;</p><p style="text-decoration&#58;underline;">Monthly Fraud Status Report</p><p>The Enterprises should submit a monthly fraud status report to FHFA. &#160;The monthly fraud status report shall contain requested information for each occurrence during the month in which the Enterprise has&#58;</p></div><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><div><ol><li><span style="line-height&#58;22px;">Filed a suspicious activity report (SAR) with the U.S. Department of the Treasury, Financial Crimes Enforcement Network (FinCEN) or</span><br></li><li><span style="line-height&#58;22px;">Discovered that it has purchased or sold a fraudulent loan or financial instrument, or when it suspects a possible fraud related to the purchase or sale of any loan or financial instrument, and the Enterprise has not filed a SAR.</span><br></li></ol></div></blockquote><span style="line-height&#58;22px;">FHFA will provide a template that describes the format of the monthly fraud status report and defines the information to be included.</span><div><font color="#404040"><span style="line-height&#58;22px;"><br></span></font><div><div><p>Each Enterprise should provide the Director’s designee(s) with the monthly fraud status report within ten (10) calendar days after the end of each month, regardless of whether the Enterprise has a reportable event during the period covered by the report. &#160;The report should be sent electronically through secure methods established by FHFA. &#160; </p><p style="text-decoration&#58;underline;">Quarterly Fraud Status Report</p><p>On a quarterly basis, the Enterprises should also report to FHFA the status of any entry required to be reported in the monthly fraud status report for which the Enterprise’s fraud unit has opened a case. &#160;The quarterly fraud status report shall include cases that (1) remain ongoing as of the quarterly report date or (2) were closed during the quarter covered by the report.&#160;</p><p>FHFA will provide a template that describes the format of the quarterly fraud status report and defines the information to be included.</p><p>Each Enterprise should provide the Director’s designee(s) with the quarterly fraud status report within ten (10) calendar days after the end of each calendar quarter. &#160;The report should be sent electronically through secure methods established by FHFA. &#160;</p><p style="text-decoration&#58;underline;"><strong><em>Effective Date</em></strong></p><p>This advisory bulletin becomes effective on June 1, 2015. &#160;The RPG-2011-001 guidance for Immediate Notifications (Section II.A.), Fraud Reports (Section II.C.), and Quarterly Status Submission (Section II.D.) shall continue through the May 31, 2015 reporting period. &#160;All other requirements of RPG-2011-001 are discontinued immediately, including the Annual Review and Conformance Report.&#160;​<span style="line-height&#58;1.6;">​</span></p></div></div> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> ​​​​​​Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. Contact Kari Walter, Senior Associate Director, Office of Supervision Policy at <a href="mailto&#58;Kari.Walter@fhfa.gov">Kari.Walter@fhfa.gov</a>, or Kathy Beach, Principal Advisor, Office of Supervision Policy at <a href="mailto&#58;Kathy.Beach@fhfa.gov">Kathy.Beach@fhfa.gov</a>, with comments or questions pertaining to this bulletin.&#160;&#160;</p></td></tr></tbody></table></div>3/26/2015 5:00:20 PM2718https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Oversight of Single-Family Seller/Servicer Relationships16002Fannie Mae & Freddie Mac12/1/2014 5:00:00 AMAB 2014-07​ <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​ADVISORY BULLETIN&#160;</strong><br><strong></strong></p><p> <strong>AB 2014-07&#160;</strong><br><strong></strong></p><p> <strong>Oversight of Single-Family Seller/Servicer Relationships</strong></p></td></tr></tbody></table><h2> <br> </h2><h2>Purpose</h2><p>This a​dvisory bulletin communicates the Federal Housing Finance Agency’s (FHFA) supervisory expectation that Fannie Mae and Freddie Mac (collectively, the Enterprises) maintain the safety and soundness of their operations by effectively managing counterparty risks. FHFA expects each Enterprise to assess financial, operational, legal, compliance, and reputation risks associated with its single-family Seller/Servicer counterparties and to take appropriate action to mitigate those risks or reduce the Enterprise’s exposure. Toward this end, each Enterprise should implement a board-approved risk management framework that specifically includes risk-based oversight of single-family Seller/Servicers. Enterprise oversight should be performed pursuant to policies and procedures as described in this advisory bulletin.</p><h2>​Background</h2><p>The business relationships between the Enterprises and Seller/Servicers are a fundamental component of the Enterprises’ delegated business models. Seller/Servicers engage in business transactions with and on behalf of the Enterprises, principally selling loans and performing servicing functions, under the terms of each Enterprise’s respective selling and servicing guide and other contractual provisions. The term “Seller/Servicer” as used in this advisory bulletin includes all entities that sell single-family mortgage loans to the Enterprises or perform single-family mortgage loan servicing for the Enterprises.</p><p>Seller/Servicers may engage in all aspects of a mortgage loan’s lifecycle or specialize in phases of the lifecycle (e.g., servicing delinquent mortgage loans). Individual Seller/Servicers may present unique risks due to their organizational structure and complexity; operational and technological capabilities and capacity; experience; access to financial resources, both funding and capital; and scope of regulatory oversight.</p><h2>Guidance</h2><p> <em>Risk Management Framework</em><br></p><p>The board of directors is responsible for overseeing the Enterprise’s overall risk management. The use of a third party does not relieve the Enterprise’s board of directors and senior management of their respective responsibilities to oversee and manage the risks that arise out of the Enterprise’s Seller/Servicer relationships.</p><p>FHFA expects each Enterprise to have a risk management framework for Seller/Servicers as part of its enterprise-wide risk management program. An effective risk management framework addresses the Seller/Servicer relationship for the duration of its lifecycle, including due diligence and selection, contract negotiation, ongoing monitoring (including performance review and issue resolution), and termination.</p><p>The framework should incorporate a policy for the oversight of Seller/Servicer relationships. The policy should establish standards for identifying, assessing, monitoring, and managing risks associated with Seller/Servicer relationships. The policy should assign clear roles and responsibilities and require that significant decisions with respect to Seller/Servicers be documented and include all appropriate Enterprise stakeholders, including Enterprise risk management. The policy should require that significant issues related to a Seller/Servicer or exceptions to the policy be reported to senior management. The policy should identify criteria for when significant issues will be reported to the board of directors (or a committee thereof). The policy should be implemented by business line-level policies and procedures that establish processes and controls.</p><p> <em>Selection of Seller/Servicers&#160;</em></p><p> <em></em> <span style="line-height&#58;22px;">Prior to entering into a contractual relationship with a Seller/Servicer, the Enterprise should perform due diligence and document the results. The due diligence should evaluate relevant risks related to a potential Seller/Servicer and should be informed by the factors below. The framework may provide for due diligence to be conducted using a risk-based approach, pursuant to defined criteria.&#160;</span><br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> ​<span style="text-decoration&#58;underline;">Financial Risk Factors</span>&#160;</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>​​Financial risk is the risk of loss due to the Seller/Servicer’s inability to meet its financial obligations. Financial risk may arise due to deterioration in the Seller/Servicer’s financial condition, significant growth, or an unexpected event that causes financial hardship. The Enterprises should consider the following in assessing each potential Seller/Servicer’s financial risk, as appropriate&#58;</p><ul><li> <span style="line-height&#58;22px;">Overall financial strength and financial ratio trends;&#160;</span><br></li><li> <span style="line-height&#58;22px;">B</span><span style="line-height&#58;22px;">usiness plan, expertise, and loan production sources;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Ability to meet selling and servicing guides and other contractual provisions, including representations and warranties, under stable and adverse economic scenarios;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Existing and anticipated sources of income, capital, and liquidity;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Quality of loans;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Projected levels of loans, mortgage servicing rights (MSRs), and other servicing assets (e.g., MSR strips, servicing advances);&#160;</span><br></li><li> <span style="line-height&#58;22px;">Adequacy of fidelity bond and errors and omissions insurance coverage; and&#160;</span><br></li><li> <span style="line-height&#58;22px;">Complexity of the Seller/Servicer’s financial structure, in</span><span style="line-height&#58;22px;">cluding the terms of any financial arrangements with other parties.&#160;</span><br></li></ul><p style="text-decoration&#58;underline;"> Operational Risk Factors</p><p>Operational risk is the exposure to loss from inadequate or failed internal processes, people, and systems, or from external events. Operational risk may arise when a Seller/Servicer cannot effectively perform the duties that it has contracted to perform due to deficiencies in its operations or controls. The Enterprises should consider the following in assessing each potential Seller/Servicer’s operational risk, as appropriate&#58;&#160;</p><ul><li> <span style="line-height&#58;22px;">Current and prospective resources and capacity regarding staffing, facilities, technology infrastructure, and any sub-servicing arrangements;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Organizational structure, complexity, and ownership, including affiliates;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Key personnel, principals, and controlling shareholders, including information from background checks, when appropriate;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Reliance on, exposure to, and performance of sub-servicers, location of subservicers, and the Seller/Servicer’s ongoing monitoring program and quality control testing of sub-servicers;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Seller/Servicer oversight of third-party service providers (e.g., mortgage brokers, appraisers) contractually obligated to the Seller/Servicer, not the Enterprise;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Risk management program, internal controls and results of audits or reviews, including independent post-closing loan review process;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Business continuity and contingency planning; and&#160;</span><br></li><li> <span style="line-height&#58;22px;">Information technology management program, including an information security framework.&#160;</span><br></li></ul><p> <span style="text-decoration&#58;underline;">Legal, Compliance, and Reputation Risk Factors</span>&#160;</p><p>Legal, compliance, and reputation risk exists when a Seller/Servicer’s operations are not consistent with laws, regulations, sound practices, or an Enterprise’s selling and servicing guides and other contracts. The Enterprises should consider the following in assessing the legal, compliance, and reputation risk associated with potential Seller/Servicers, as appropriate&#58;&#160;</p><ul><li> <span style="line-height&#58;22px;">Maintenance of the appropriate federal and state charters or licenses required for or relevant to operating their business;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Scope of federal and state regulatory oversight, both prudential and consumer protection;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Compliance programs for all applicable laws and regulations, including consumer protection laws;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Record of compliance with applicable laws </span><span style="line-height&#58;22px;">and regulations, based upon publicly available information;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Information known or reasonably available to an Enterprise about loan originators used by the Seller/Servicer and their compliance with consumer protection laws;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Publicly available information about supervisory and legal actions, including criminal and civil actions, taken against the Seller/Servicer, key personnel, principals or controlling shareholders, and affiliates;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Publicly available information about investigations and litigation initiated by federal and state authorities, and agreements reached in conjunction with those actions, including the assessment of fines;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Orders issued under the FHFA Suspended Counterparty Program; and&#160;</span><br></li><li> <span style="line-height&#58;22px;">Significant consumer complaints or a pattern of consumer complaints</span><span style="line-height&#58;22px;">.&#160;</span><br></li></ul></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"> <span style="line-height&#58;22px;">Evaluation of these risk factors should be consistent with, and supportive of, the standards for approving Seller/Servicers articulated in the risk management policy.&#160;</span></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"> <span style="line-height&#58;22px;"><br></span></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em>Ongoing Monitoring</em>&#160;</p><div> <span style="line-height&#58;22px;">​Monitoring of the Seller/Servicer for the duration of the relationship is essential to an Enterprise’s ability to manage Seller</span><span style="line-height&#58;22px;">/Servicer risks. As part of ongoing monitoring, each Enterprise should have risk-based procedures that require updating information obtained during the approval process and performing subsequent analysis to evaluate changes in a Seller/Servicer’s risk. FHFA expects that ongoing monitoring will be risk-based, so it will vary among individual Seller/Servicers and may change over time for a particular Seller/Servicer. Enterprise policy regarding the scope and frequency of ongoing monitoring activities should be commensurate with the risk associated with the particular Seller/Servicer.&#160;</span><br></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">The documented analysis should take into account factors assessed during the approval process, as well as the following factors, as appropriate&#58;&#160;</span></div><div><ul><li> <span style="line-height&#58;22px;">Volume of loans sold; MSRs retained, sold, transferred, or pledged; and servicing transfer activity, noting rapid or significant changes;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Outstanding obligations and past performance regarding recoveries of repurchases and compensatory fees;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Adherence to approved terms of business, including capital requirements, sales volume, and product limitations;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Delivery and servicing performance record;&#160;</span></li><li> <span style="line-height&#58;22px;">Contractual ability of the Enterprise to access Seller/Servicer records and conduct onsite visits;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Results of operational reviews performed by the Enterprise;&#160;</span></li><li> <span style="line-height&#58;22px;">Results of the Enterprise’s review of a Seller/Servicer for the Seller/Servicer’s compliance with consumer protection and other laws where the Enterprise may have legal liability as a result of the Seller/Servicer’s noncompliance;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Information about a Seller/Servicer’s compliance with consumer protection laws where the Enterprise may be exposed to significant risk as a result of the Seller/Servicer’s noncompliance;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Record of compliance with Seller/Servicer guides and other contractual terms, including compliance with laws and regulations, based on Enterprise compliance and quality control reviews;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Results of fraud and data integrity reviews;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Volume, type, and pattern of Seller/Servicer guide waivers considering documented justification for waivers, and results of ongoing performance reviews of loans with waivers relative to justification and expectations;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Sufficiency and timeliness of performance data to evaluate the quality and effectiveness of Seller/Servicer processes for actual and projected volumes;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Accuracy and completeness of loan recordkeeping, including loan data systems and loan documentation, throughout the life of the loan;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Changes in the Seller/Servicer’s business model, strategies, or practices; and&#160;</span><br></li><li> <span style="line-height&#58;22px;">Operational and system complexity, including after an acquisition or merger involving multiple locations, systems, and processes.&#160;</span><span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;">&#160;</span></li></ul></div></blockquote><div> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;"> <em>Managem​ent</em>&#160;</span></div><div> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;"> <br></span></div><div> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;">The risk management framework should include policies for the escalation to and subsequent tracking of issues by the Enterprise’s senior management or board of directors (or committee thereof), depending on the type of issue and the risk posed to the Enterprise. In addition, the policies should address the remediation of deficiencies or weaknesses identified in performance criteria or risk areas, as appropriate. The policies should also include standards for taking timely remedial action to exercise contractual rights for termination, suspension, or restriction of activities with a Seller/Servicer, including, for example, against a Seller/Servicer that fails to meet an Enterprise’s standards of performance or that poses reputation risk because of noncompliance with applicable laws and regulations or unso</span><span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;">und business practices.&#160;</span><br></div><div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div> <span style="line-height&#58;22px;"> <br></span></div></blockquote><h2> Related Guidance and Regulations </h2><div> <em style="color&#58;#404040;font-family&#58;'source sans pro', sans-serif;font-size&#58;14px;line-height&#58;22px;">Mortgage Servicing Transfers</em><span style="line-height&#58;22px;">, Federal Housing Finance Agency Advisory Bulletin 2014-06, June 11, 2014, communicates FHFA’s supervisory expectations for risk management practices in conjunction with the sale and transfer of mortgage servicing rights or the transfer of the operational responsibilities for servicing mortgage loans owned or guaranteed by the Enterprises.&#160;</span><br></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;"> <em>Contingency Planning for High-Risk or High-Volume Counterparties</em>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013, establishes guidelines for contingency plans for high-risk or high-volume counterparties and describes the criteria the regulated entities should use to develop plans for managing counterparty credit risk exposures.&#160;</span></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">12 CFR Part 1227 <em>Suspended Counterparty Program</em> generally sets forth the requirements by which each regulated entity submits reports to FHFA when it becomes aware that an individual or institution with which it has been engaged in a covered transaction (as such term is defined in the regulation) within the previous three years has been convicted, debarred, suspended, or otherwise sanctioned, based on specified financial misconduct. FHFA may issue suspension orders in appropriate cases, requiring the regulated entities to cease doing business with such individuals or institutions.&#160;</span></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">12 CFR Part 1233 <em>Reporting of Fraudulent Financial Instruments </em>requires each regulated entity to make a report to FHFA upon discovery that it has purchased or sold a fraudulent loan or financial instrument or suspects a possible fraud relating to the purchase or sale of any loan or financial instrument.&#160;</span></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">12 CFR Part 1236 <em>Prudential Management and Operations Standards, Standard 9 – Management of Credit and Counterparty Risk </em>provides guidelines on the management of credit and counterparty risk.&#160;</span></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">Department of the Treasury Financial Crimes Enforcement Network 31 CFR Parts 1010 and 1030 <em>Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Housing Government Sponsored Enterprises </em>requires each regulated entity to file suspicious activity reports and develop an anti-money laundering program.&#160;</span><br> <div> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;color&#58;#444444;">​</span></div></div></div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​</strong><span style="font-style&#58;normal;font-variant&#58;normal;line-height&#58;22px;">Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. This bulletin is effective immediately upon issuance. Contact Kari Walter, Senior Associate Director, Office of Supervision Policy at 202-649-3405 or <a href="mailto&#58;Kari.Walter@fhfa.gov">Kari.Walter@fhfa.gov</a>, or Kathy Beach, Office of Supervision Policy, at 202-649-3521 or <a href="mailto&#58;Kathy.Beach@fhfa.gov">Kathy.Beach@fhfa.gov​</a> with comments or questions pertaining to this bulletin<strong>.</strong><em></em></span></p></td></tr></tbody></table>12/1/2014 7:02:56 PM6232https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Mortgage Servicing Transfers12031Fannie Mae & Freddie Mac6/11/2014 4:00:00 AMAB 2014-06<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p><strong>ADVISORY BULLETIN&#160;</strong><br><strong></strong></p><p><strong>AB 2014-06&#160;</strong><br><strong></strong></p><p><strong>Mortgage Servicing Transfers&#160;</strong></p></td></tr></tbody></table><h2>Purpose</h2><p>The Federal Housing Finance Agency (FHFA) is issuing this advisory bulletin to communicate supervisory expectations for risk management practices in conjunction with the sale and transfer of mortgage servicing rights (MSRs) or the transfer of the operational responsibilities of servicing mortgage loans owned or guaranteed by Fannie Mae and Freddie Mac (collectively, the Enterprises).</p><h2>​Background</h2><p>​The sale and transfer of MSRs or the transfer of mortgage servicing has recently increased for a number of reasons. Some servicing transfers are initiated by the Enterprises. An Enterprise may seek to facilitate or require the transfer of&#160;mortgage servicing to a different servicer in an effort to improve mortgage servicing performance. A transfer may also be necessitated by a mortgage servicer’s failure to meet contractual requirements. Servicing transfer requests may also be initiated by the owner of the MSRs or the servicer of the mortgage portfolio. For example, changes in capital regulations or servicing profitability may prompt commercial banks and financial services companies to seek to reduce MSR holdings. Some non-bank mortgage servicing companies have recently increased acquisitions of MSRs and the servicing of mortgage loans.</p><p>There are different variations for structuring transfers to the acquiring entities. Historically, both the ownership of the MSRs and the servicing of the mortgage loans were transferred to the same entity. However, the MSRs owner and the mortgage AB 2014-06 (June 11, 2014) Public servicer may be separate entities, which would necessitate one or more sub-servicer arrangements. For example, the MSRs owner may be established as a limited liability company with the primary purpose of sub-contracting servicing to one or more servicers. In some situations, more than one entity is responsible for the representations and warranties related to the origination, selling, or servicing of a transferred mortgage servicing portfolio. Different types of entities involved in MSR holding structures can impact the financial, operational, and legal risks associated with any given transfer.</p><p>Any sale and transfer of MSRs or transfer of the operational aspect of servicing mortgage loans owned or guaranteed by Fannie Mae or Freddie Mac requires the approval of the applicable Enterprise in accordance with its seller/servicer guide.</p><div><h2>​Guidance</h2><p>​An&#160;Enterprise&#160;should&#160;only&#160;approve&#160;those&#160;transactions&#160;that&#160;are&#160;consistent&#160;with&#160;sound&#160;business&#160;practice,&#160;aligned&#160;with&#160;the&#160;Enterprise’s board-approved risk appetite, and in compliance with regulatory and&#160;Conservator&#160;requirements.&#160;Certain&#160;bulk servicing transfers also require the approval of FHFA as Conservator for the Enterprises.​</p><p>Each Enterprise should have in place policies and procedures within its risk management&#160;program for evaluating risks of proposed sales or transfers of MSRs and transfers of the&#160;servicing of mortgage loans, considering the particular circumstances of the transfers&#160;(e.g., volume and profile of the loans transferred, structure and complexity of&#160;the&#160;transaction, counterparty exposure, servicing concentrations, and/or borrower&#160;experience). The Enterprise’s policies and procedures should identify, assess, and&#160;appropriately mitigate risk. The policies and procedures should provide for risk-based&#160;periodic reporting to the board of the transfers’ risk effect on the mortgage servicing&#160;portfolio. The Enterprise should maintain documentation of supporting analysis of&#160;transfer approval decisions that is sufficient to enable subsequent supervisory review.</p></div><div><p>​This advisory bulletin sets forth guidance for how each Enterprise should develop&#160;policies and procedures for reviewing and approving the sale and transfer of MSRs or the&#160;transfer of the servicing of mortgage loans. The policies and procedures should enable&#160;the Enterprise to understand its potential counterparty risk exposure resulting from&#160;servicing transfers.</p><p>​Analysis of Mortgage Servicing Transfers</p><p>The Enterprise should analyze and document the terms and conditions of all proposed&#160;transactions. The Enterprise should evaluate the risks and potential benefits of proposed&#160;transfers, taking into account relevant factors regarding the transferee, the transferor, and&#160;the borrower, as well as, the Enterprise’s overall risk management strategy for servicers.&#160;The analysis should incorporate and reflect the views of both risk management and&#160;business line management.</p><p>The analysis should reflect a risk-based approach and consideration of all relevant risks, including (but not limited to) the&#160;following factors&#58;</p><h4>Financial Risk Factors</h4><ul><li><span style="line-height&#58;1.6;">Financial strength of the transferee servicer or the MSRs owner based upon a current analysis;</span><br></li><li><span style="line-height&#58;1.6;">Existing and anticipated sources of capital and liquidity for the transferee servicer or the MSRs owner;</span><br></li><li><span style="line-height&#58;1.6;">Confirmation of the responsible party(ies) for origination and servicing representation and warranty obligations;</span><br></li><li><span style="line-height&#58;1.6;">Ability of all relevant participants to meet contractual obligations, including representations and warranties and other&#160;contractual obligations, including during adverse scenarios in which the counterparty may have trouble accessing liquidity and capital;</span><br></li><li><span style="line-height&#58;1.6;">Terms of any financial support arrangements (e.g., letters of credit, net worth or other guarantees, or other investment structures that securitize the servicing income or the advance receivables); and</span><br></li><li><span style="line-height&#58;1.6;">Complexity of the counterparty financial structure, including financial arrangements with other parties.</span><br></li></ul><h4>​Operational Risk Factors</h4><ul><li><span style="line-height&#58;1.6;">The Enterprise’s, the transferee’s, and the transferor’s business objective for the proposed transfer;</span><br></li><li><span style="line-height&#58;1.6;">Transferee servicer’s status as an “approved” servicer by the Enterprise;</span><br></li><li><span style="line-height&#58;1.6;">Transferee servicer’s and any sub-servicer’s delegations and authority to conduct business on behalf of the Enterprise in relation to the servicing portfolio being transferred;</span><br></li><li><span style="line-height&#58;1.6;">Organizational structure, location, management team, and operations of the transferee servicer and any sub-servicers;</span><br></li><li><span style="line-height&#58;1.6;">Transferee servicer’s and any sub-servicer’s expertise and performance record, including the results of recently conducted Enterprise on-site reviews;</span><br></li><li><span style="line-height&#58;1.6;">Servicing fee distribution between the MSRs owner and the transferee servicer to ensure proper alignment of incentives and coverage of costs;</span><br></li><li><span style="line-height&#58;1.6;">Servicer capacity, taking into account staffing, facilities, information technology systems, and any sub-servicing arrangements;</span><br></li><li><span style="line-height&#58;1.6;">Outstanding obligations and past performance regarding repurchase recoveries and compensatory fee recoveries;</span><br></li><li><span style="line-height&#58;1.6;">Operational complexity of the transaction;</span><br></li><li><span style="line-height&#58;1.6;">Third party service providers or vendors contractually obligated to the servicer, but not to the Enterprise;</span><br></li><li><span style="line-height&#58;1.6;">Adequacy of the transferee servicer’s business continuity plan, inclusive of any applicable sub-servicers or material vendors;</span><br></li><li><span style="line-height&#58;1.6;">Current and potential effects of the transfer on borrowers, including those associated with in-process workouts, bankruptcies, and litigation; and</span><br></li><li><span style="line-height&#58;1.6;">Overall effect of the transfer on the servicer relationship and any resulting counterparty concentrations for an Enterprise.</span><br></li></ul><h4>Legal and Compliance Risk Factors</h4><ul><li><span style="line-height&#58;1.6;">Potential compliance risk associated with the characteristics of the mortgage loans being serviced;</span><br></li><li><span style="line-height&#58;1.6;">Based upon publicly available information, the transferor servicer’s, transferee servicer’s, and any sub-servicer’s record of compliance with consumer protection laws, including provisions of the Consumer Financial Protection Bureau’s Regulation X, which implements the Real Estate Settlement Procedures Act;</span><br></li><li><span style="line-height&#58;1.6;">Extent to which the transferor servicer, transferee servicer, and any sub-servicer is subject to federal or state regulatory oversight; and</span><br></li><li><span style="line-height&#58;1.6;">Any public regulatory or other enforcement actions relating to safety and soundness, legal, or compliance issues (e.g., consumer compliance, fraud, financial reporting) of the servicers or sub-servicers.</span><br></li></ul><p>Policies and procedures should be consistent with prudent counterparty risk management practices and with FHFA&#160;guidance, including risk-based contingency planning in accordance with FHFA Advisory Bulletin AB-2013-01, Contingency Planning for High-Risk or High-Volume Counterparties, as appropriate.</p><div><p><em class="ms-rteFontSize-2">Transfer Execution Monitoring</em></p><p>The Enterprise’s policies and procedures should clearly outline its expectations to facilitate the transfer of data and records. Further, the Enterprise should have a risk-based process to monitor the execution of the transfers so that all servicing transfers occur in a timely manner and in accordance with approved terms, servicing guide requirements, and applicable mortgage servicing transfer-related laws and regulations. The Enterprise should also have a process to update and&#160;maintain its systems to accurately identify all parties involved in the servicing of a particular loan portfolio.</p><p>Monitoring should cover the transfer of loan records, information regarding loans with loss mitigation in process (including loan modifications), compliance with laws and regulations relating to mortgage servicing transfers, compliance with&#160;approved terms including loan product types and status of loans to be transferred, and quality control review results. For loans that are subject to existing loss mitigation agreements or have loan modification agreements in process, the&#160;transfer terms should require the transferee servicer to honor and abide by such agreements or propose options that are no less beneficial to the borrower, and provide for the transferee servicer to obtain all information needed to complete the modification. Transfer execution monitoring should encompass consideration of all relevant participants, including the MSRs owners, servicers, sub-servicers, and third party service providers and vendors, as appropriate.</p><p>Policies and procedures for Enterprise approval determinations should incorporate assessments of the effectiveness of any prior transfers. Transfer execution monitoring AB 2014-06 (June 11, 2014) Public​&#160;should continue for a sufficient period of time post-transfer to enable the Enterprise to evaluate the effectiveness of the transfer and incorporate that evaluation in future approval decisions.</p><h2>​Related Guidance</h2><p>​​Contingency Planning for High-Risk or High-Volume Counterparties, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013, establishes guidelines for contingency plans for high-risk or high-volume counterparties and describes the criteria the regulated entities should use to develop plans for managing counterparty credit risk exposures.</p><div><br></div></div></div>9/18/2014 7:25:23 PM7228https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx

© 2017 Federal Housing Finance Agency